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Abstract 


The  Midcourse  Space  Experiment  (MSX)  is  a  Strategic  Defense  Initiative  Organization  pro¬ 
gram  whose  primary  purpose  is  to  conduct  tracking  event  experiments  of  targets/phenomena 
in  midcourse. 

In  this  report  we  give  a  detailed  account  of  the  SDVS  verification  of  a  modified  portion  of 
the  MSX  tracking  processor  software.  We  present  a  functional  overview  of  this  part  of  the 
software,  discuss  and  fully  annotate  our  modifications  to  it,  list  the  SDVS  enhancements 
implemented  during  the  course  of  the  project,  and  present  a  proof  of  correctness  of  a  simple 
but  nontrivial  specification. 
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1  Introduction 


The  purpose  of  this  report  is  to  document  a  1993  joint  project  between  The  Aerospace 
Corporation  (Aerospace)  and  the  Johns  Hopkins  University  Apphed  Physics  Laboratory 
(JHU/APL)  to  verify  a  portion  of  the  Midcourse  Space  Experiment  (MSX)  spacecraft 
tracking  processor  software  (the  target  software)  using  SDVS.  The  project  consisted  of 
three  major  parts:  (1)  enhancements  to  SDVS,  primarily  to  the  SDVS  Ada  translator  and 
to  the  SDVS  proof  language;  (2)  modifications  to  the  target  software  required  by  the  SDVS 
Ada  translator,  and  (3)  proofs  of  and  specifications  for  the  modified  target  software. 

Although  we  will  give  a  very  brief  overview  of  the  MSX  software  we  are  attempting  to  verify, 
we  assume  that  the  reader  is  acquainted  with  [1].  Detailed  accounts  of  the  tracking  proces¬ 
sor  design  and  software  are  given  in  [2]  and  [3].  The  target  software  builds  and  processes 
application-level  messages  from  serial  digital  commands  relayed  from  the  command  proces¬ 
sor  to  the  tracking  processor.  There  are  eleven  types  of  application-level  messages.  One 
of  these,  the  data-structure  memory-load  apphcation  message  (data-structure  message,  for 
short),  can  modify  up  to  109  tracking  parameters.  At  the  present  time  only  61  of  these  109 
parameters  are  specified;  the  others  are  for  future  use.  The  number  of  commands  that  are 
required  to  form  a  data-structure  message  is  a  function  of  the  type  of  tracking  parameter 
that  the  data-structure  message  modifies.  Once  built,  the  data-structure  message  is  stored 
in  EEPROM,  RAM,  or  both.  Our  goal  was  to  verify  that  the  data-structure  messages  are 
built  according  to  their  specification.  The  specifications  for  data-structure  messages  are 
described  in  [4]. 

The  MSX  software  is  written  in  Ada  and  in  1750A  assembly.^  The  heart  of  the  target  soft¬ 
ware  consists  of  the  three  Ada  tasks  -  BUILD,  PROCESS-MSG,  and  MANAGE-MSG-RETRIEVAL 
-  in  the  package  APP_MSGS,  and  the  interrupt-driven  Ada  procedure  CMDJN_HANDLER  in 
the  package  SERIAL_DIG_CMDS.  When  an  interrupt  occurs  signaling  that  a  command  is 
ready  to  be  retrieved  from  a  designated  serial  port,  CMDJNJHANDLER  services  the  interrupt 
by  retrieving  the  command  and  storing  it  in  a  command  buffer.  For  an  infinite  num¬ 
ber  of  times,  if  the  command  buffer  is  not  empty,  BUILD  retrieves  the  command  buffer, 
constructs  application-level  messages  from  these  commands,  places  them  in  a  circular  mes¬ 
sage  queue,  and  waits  for  a  rendezvous  with  MANAGEJV1SG_RETRIEVAL.  Also  for  an  infinite 
number  of  times,  if  the  message  queue  is  not  empty,  PROCESS_MSG  will  rendezvous  with 
MANAGE_MSG_RETRIEVAL  to  retrieve  and  process  a  message  from  the  message  queue.  It 
stores  data-structure  messages  in  EEPROM,  RAM,  or  both.  As  its  name  indicates,  MAN- 
AGE-MSG-RETRIEVAL  synchronizes  the  other  two  tasks. 

The  three  tasks  and  the  interrupt-driven  procedure  are  essentiaRy  four  tasks.  It  is  important 
to  note  two  facts:  (1)  the  target  software  does  not  include  a  main  program  (or  scheduler) 
to  execute  the  tasks  and  the  interrupt- driven  procedure,  and  (2)  SDVS  does  not  currently 
handle  Ada  tasking.  As  a  consequence,  we  translated  the  tasks  into  procedures  and  em¬ 
bedded  these  procedures  in  a  program  specifying  an  order  of  their  execution.  However,  the 
translation  of  the  tasks  into  procedures  altered  an  important  aspect  of  their  executions; 

^  We  are  focusing  on  the  software  written  in  Ada.  SDVS  has  the  capability  to  verify  programs  written  in 
a  subset  of  1750A  assembly  language  as  well,  but  this  was  not  done  in  the  current  effort. 
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they  could  no  longer  be  interleaved.  Their  execution  as  procedures,  which  is  determined 
by  the  program,  is  one  of  the  many  possible  execution  sequences  for  the  tasks.  But  the 
specification  of  the  end  result,  namely  that  an  infinite  sequence  of  commands  be  processed 
into  a  corresponding  infinite  sequence  of  messages,  remained  the  same  for  both  the  original 
and  the  modified  MSX  software. 

Thus,  Aerospace  wrote  the  scheduler  for  the  procedures  that  were  tasks  in  the  original 
software.  Furthermore,  we  had  to  alter  these  procedures  in  various  ways;  these  changes  are 
explained  in  Section  4  and  documented  (statement  by  statement)  in  the  actual  modified 
target  software  listed  in  Appendix  A.  Some  of  the  changes  are  equivalent  to  the  original  MSX 
code  and  some  are  not.  We  did  not  verify  the  correctness  of  the  original  code.  However,  we 
verified  certain  properties  of  the  modified  code  that  should  also  describe  the  original  code; 
if  the  modified  code  did  not  satisfy  the  properties,  then  the  original  code  would  not  have 
satisfied  the  properties.  As  a  pragmatic  consideration,  if  the  modified  code  had  not  satisfied 
the  properties,  then,  using  the  specifications,  we  could  have  constructed  the  appropriate  test 
cases  to  demonstrate  that  the  original  code  is  incorrect.  There  is  a  range  of  possibilities  in 
applying  formal  methods:  e.g.  formal  specification  and  no  proof,  specification  with  hand- 
proof,  specification  with  automated  proof,  etc.  The  MSX  application  was  intended  to  stress 
our  current  SDVS  capabilities  by  applying  formal  methods  where  possible,  and  it  has  been 
very  useful  for  this.  We  worked  with  about  1000  lines  of  Ada  code  and  tried  to  keep  the 
modified  version  as  close  as  possible  to  the  original.  The  modified  version  of  the  code  builds 
and  processes  messages,  but  without  concurrent  processes  and  a  few  other  Ada  constructs. 

Section  2  presents  a  chronology  of  the  MSX  verification  project  using  SDVS.  After  selecting 
the  target  software,  we  “walked  through”  the  code  to  study  it  and  itemize  the  Ada  constructs 
not  handled  by  the  SDVS  Ada  translator.  We  also  analyzed  the  parts  of  the  code  that 
interface  with  1750A  assembly  language  and  the  “intrinsic”  functions  supplied  by  the  Tartan 
compiler,  which  is  used  for  the  compilation  of  the  MSX  software.  The  walk-through  and 
the  correspondence  between  Aerospace  and  JHU /APT  were  instrumental  in  the  discovery  of 
two  errors  in  the  target  software.^  After  this  initial  phase  of  the  project,  we  began  the  task 
of  verification.  Our  approach  was  to  provide  proofs  of  correctness  for  increasingly  complex 
situations.  For  our  purposes,  a  correctness  proof  involves  a  program,  a  condition  on  its 
input  (the  input  condition),  and  a  specification  relating  the  input  to  the  output  (the  output 
condition).  Complexity  arose  primarily  from  the  generality  of  the  scheduler  and  the  type 
of  input  allowed  by  the  input  condition. 

Section  3  discusses  the  enhancements  we  made  to  SDVS  for  the  verification  project,  and 
Section  4  discusses  modifications  we  made  to  the  target  software. 

Section  5  presents  some  of  the  details  of  the  proofs.  The  proofs  appear  in  Appendix  B.  The 
scheduler  that  we  wrote  for  CMDJN_HANDLER,  BUILD  and  PROCESS_MSG  limits  drastically 
the  executions  it  encompasses;  that  is,  the  situations  that  arise  in  these  executions,  although 
possible,  are  really  quite  simple.  For  example,  in  every  one  of  the  allowed  executions,  the 
message  queue  is  either  empty  or  contains  exactly  one  message,  and  the  command  buffer 
cannot  be  already  full  when  another  command  is  to  be  buffered.  Thus,  the  message  queue 
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We  note  that  at  the  time  the  errors  were  discovered,  JHU /APL  had  not  tested  the  code  extensively. 
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can  never  overflow,  and  commands  can  never  be  lost.  If  there  are  any  errors  in  the  target 
software,  one  would  expect  them  to  be  in  precisely  these  boundary  situations.  It  is  reaUy 
quite  simple  to  write  a  scheduler  that  allows  these  boundary  conditions  to  occur.  We  were 
forced  to  write  this  simple  scheduler,  because  a  proof  of  correctness  for  a  more  general 
scheduler  would  have  been  too  difficult  to  construct  in  the  time  allotted  for  the  one-year 
verification  project.  However,  we  think  it  is  possible  in  SDVS  to  prove  correctness  for  more 
general  schedulers. 

In  Section  6  we  discuss  and  present  results  from  an  approach  involving  the  offline  char¬ 
acterization  capability  of  SDVS,  which  we  think  would  facihtate  proofs  of  correctness  for 
more  general  schedulers.  An  approach  to  the  verification  effort  using  offline  characterization 
would  also  reduce  the  size  of  proofs  and  the  storage  required  for  them,  probably  allowing 
the  user  to  prove  the  correctness  of  the  four  large  messages  that  we  were  unable  to  prove 
because  of  storage  and  time  considerations.^ 

Offline  characterization  allows  one  to  prove  in  SDVS  an  adalemma  for  a  subprogram  of  a 
main  program  characterizing  the  results  of  the  execution  of  the  subprogram  in  a  specific 
environment.  It  is,  in  fact,  a  proof  of  correctness  for  the  subprogram.  Instead  of  symbolically 
executing  a  subprogram  when  it  is  called  in  the  SDVS  execution  of  the  main  program,  one 
may  apply  the  adalemma  for  the  subprogram  and  bypass  its  execution.  This  approach  saves 
time  and  storage  in  a  proof  of  correctness  of  a  main  program  in  which  there  are  repeated 
calls  to  the  subprogram.  It  also  has  the  advantage  of  modularizing  long  proofs. 

Section  7  contains  our  conclusions  on  the  1993  MSX  verification  project  using  SDVS. 


®This  verification  project  ended  in  fiscal  year  1993. 
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2  Chronology  of  the  MSX  Verification  Experiment 


In  this  section  we  highlight  the  chronology  of  the  1993  MSX  verification  project  using  SDVS. 
We  first  note  that  many  of  the  tasks  constituting  the  project  occurred  throughout  fiscal  year 
1993  and  and  some  tasks  were  done  concurrently.  For  example,  the  enhancements  to  SDVS 
necessitated  by  the  project  continued  throughout  its  duration,  as  was  the  fixing  of  SDVS 
bugs  not  previously  detected. 

We  first  studied  the  documentation  for  the  tracking  processor  software  (reports  [2],  [3]  and 
[4])  and  then  looked  at  the  actual  code.  In  our  walkthrough  we  examined  18  library  units 
that  fell  either  in  the  area  or  on  the  periphery  of  our  target  software  and  noted  the  following: 

(i)  the  library  units  and,  specifically,  the  parts  (targets)  thereof  needed  in  the  building 
or  processing  of  data-structure  messages; 

(ii)  the  Ada  constructs  in  the  targets  not  handled  by  the  SDVS  Ada  translator; 

(iii)  the  targets  whose  bodies  were  written  in  1750A  assembly  code;  and 

(iv)  the  nonstandard  Ada  function  targets  provided  by  the  Tartan  compiler  (some  of  the 
“intrinsic”  functions). 


The  part  of  the  MSX  code  we  selected  for  verification  was  chosen  partially  because  of  its 
importance  to  the  MSX  experiment  as  a  whole.  In  the  process  of  selecting  the  targets,  we 
had  to  select,  for  our  purposes,  two  demarcation  points  in  the  software:  the  point  at  which 
the  input  stream  of  commands  begins  and  the  point  at  which  the  writing  of  data-structure 
messages  to  EEPROM  ends.  The  first  selection  was  easy:  the  input  stream  of  commands 
begins  at  the  servicing  of  an  interrupt  by  CMDJNJEANDLER. 

The  second  selection  was  only  shghtly  more  difficult.  PROCESS_MSG  processes  all  application- 
level  messages.  If  the  message  is  a  data-structure  message  and  is  to  be  written  in  EEPROM, 
it  calls  EEPROM_DATA.STOREJ)ATA^TRUCJN_EEPROM. 

Although  STORE_DATA^TRUCJN_EEPROM  has  an  Ada  body,  this  body  repeatedly  calls  sub¬ 
programs  written  in  1750A  assembly.  For  this  reason,  we  decided  to  consider  that  the  mes¬ 
sages  have  been  written  to  EEPROM  at  the  call  to  EEPROMJDATA.STOREJiATA^TRUCJNJEEPROM. 

The  walkthrough  determined  our  real  target  software:  the  targets  within  the  two  points  of 
demarcation  and  any  other  part  of  the  Ada  code  they  required. 

We  partitioned  the  Ada  constructs  of  item  (ii)  above  into  two  groups:  (1)  those  we  would  add 
to  the  SDVS  Ada  translator,  and  (2)  those  we  would  replace  by  equivalent  Ada  constructs 
(for  example,  hexadecimal  literals  by  decimal  literals)  or  simply  replace  by  nonequivalent 
constructs  (for  example,  tasks  by  procedures).  We  then  started  to  implement  the  constructs 
in  the  first  group  into  the  SDVS  Ada  translator  and  made  the  appropriate  modifications  to 
the  code  for  the  constructs  in  the  second  group.'* 

^These  are  described  in  Sections  3  and  4  of  this  report. 
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In  Section  4  we  discuss  the  targets  written  in  1750A  assembly  and  our  handling  of  them. 
In  a  few  cases,  we  wrote  simple  Ada  code  for  their  bodies  that  altered  their  functionality. 
For  example,  our  version  of  the  CHECK-PARITY  function  simply  returns  the  boolean  value 
true,  whereas  the  original  function  returns  either  true  or  false,  depending  on  the  parity  of 
the  object  to  which  it  is  applied.  This  change  in  the  function  alters  the  behavior  of  the 
main  program.  However  it  does  not  alter  the  behavior  of  the  main  program  under  the 
assumptions  that  aU  inputs  have  good  parity,  which  is,  in  fact,  one  of  our  assumptions. 

Common  instances  of  calls  to  routines  written  in  1750A  assembly  language  were  calls  to 
MEMORY_MANAGER.CONV_TYPE  to  convert  from  one  type  to  another.  We  substituted  these 
calls  by  explicit  Ada  type  conversions:  JHU/APL  did  not  use  these  type  conversions,  be¬ 
cause  they  were  not  handled  properly  by  the  Tartan  compiler. 

The  actual  MSX  software  is  compiled  at  JHU/APL  by  the  Tartan  compiler.  To  test  the 
target  code  using  the  Verdix  Ada  compiler  available  at  Aerospace,  we  wrote  Ada  programs 
for  the  target  “intrinsic”  functions  provided  by  the  Tartan  compiler:  ANDJ,  AND_WORD, 
AND-BYTE,  and  ORJ.  In  the  final  SDVS  correctness  proofs,  we  characterized  these  func¬ 
tions  by  adalemmas.  We  used  the  Verdix  compiler  to  test  our  modifications  for  syntactic 
correctness  at  every  step  of  the  modification  process.  In  fact,  we  also  tested  several  versions 
of  the  original  code  by  executing  it  with  various  inputs.  These  versions  were  not  identical 
to  the  original  code  because  we  replaced  the  routines  that  were  written  in  1750A  assembly 
language,  and  we  provided  bodies  for  the  Tartan-supplied  “intrinsic”  functions.  But,  we 
were  able  to  test  versions  that  were  close  to  the  original;  for  example,  we  were  able  to  test 
a  version  with  the  original  tasks. 

Once  we  made  the  modifications  and  added  the  capability  to  translate  subtypes  to  the 
SDVS  Ada  translator,  we  made  our  first  attempt  to  translate  and  execute  the  target  code 
in  SDVS.  We  were  immediately  beset  by  a  great  number  of  heretofore  undetected  bugs  in 
SDVS.  SDVS  had  never  been  stressed  with  such  a  large  Ada  program  before.  We  estimate 
that  more  than  half  of  our  time  on  this  project  was  spent  in  fixing  bugs  or  in  attempting 
to  deal  with  time  and  storage  problems.  As  yet,  the  latter  are  not  totally  resolved. 

After  the  bugs  were  corrected,  we  were  able  to  complete  a  proof  of  correctness  in  SDVS 
of  a  program  processing  exactly  three  commands.  The  scheduler  first  made  three  calls 
to  CMDJNJBANDLER,  then  a  call  to  BUILD,  and  finally  a  call  to  PROCESS_MSG.  The  input 
condition  asserted  that  the  input  consisted  of  three  commands  encoding  an  “AP  propagation 
time”  data-structure  message  to  be  written  in  EEPROM.  The  output  condition  asserted 
that  the  message  stored  in  EEPROM  corresponded,  in  a  manner  stipulated  by  the  MSX 
documentation,  to  the  input  commands.  Even  for  such  a  minor  proof,  the  SDVS  proof  trace 
was  over  350  pages  long. 

We  next  completed  the  inf-seq-of-2-msg-types  proof.  Its  input  condition  specified  an  input 
consisting  of  an  infinite  sequence  of  blocks  of  commands,  each  block  encoding  one  of  two 
types  of  data-structure  messages:  an  “AP  propagation  time”  message  (message  ID  10)  or 
a  “filter  loss  of  track  rules”  message  (message  ID  22).  In  an  infinite  cycle,  the  scheduler 
called  CMDJN-HANDLER  precisely  the  number  of  times  needed  to  retrieve  the  next  block 
from  the  input,  then  BUILD,  and  finally  PROCESS-MSG.  The  output  condition  asserted  that 
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for  each  block  of  commands  in  the  input,  there  is  a  message  in  the  output  corresponding 
to  the  input  block  in  the  manner  stipulated  by  the  MSX  documentation.  Furthermore,  the 
correspondence  of  blocks  of  commands  to  messages  is  one-to-one,  onto,  and  order-preserving. 

It  would  seem  that  inf-seq.of-2-msg-types  could  be  trivially  generalized  to  a  proof  whose 
input  condition  specifies  an  input  consisting  of  an  infinite  sequence  of  blocks  of  commands, 
each  block  encoding  any  one  of  the  61  data-structure  messages  and  whose  output  con¬ 
dition  is  amended  in  the  obvious  way.  (For  future  reference,  we  refer  to  this  proof  as  the 
“inf-seq-of-61-msg-types”  proof.)  However,  our  attempts  to  complete  inf-seq-of-61-msg-types 
were  thwarted  by  the  amount  of  time  required  for  its  completion:  the  system  on  which  we 
ran  it  never  stayed  up  long  enough  to  complete  it.  We  estimated  it  would  take  at  least 
seven  days  for  the  proof  to  terminate. 

The  major  problem  is  that  in  proving  that  the  nth  block  of  commands  is  processed  correctly, 
each  of  the  61  possible  cases  for  this  block  must  be  considered  separately  (at  least  in  our 
approach).  Each  case  adds  to  the  execution  time  of  the  proof.  One  of  our  solutions  was  to 
run  many  separate  but  similar  proofs.  In  each  proof  we  considered  only  a  few  of  the  cases 
for  the  nth  block  of  commands,  proved  that  one  case,  and  deferred  the  proof  for  the  other 
cases.  But  we  ran  into  a  problem.  Because  four  of  the  messages  were  unusually  long,  the 
correctness  proof  for  each  one  of  these  messages  required  more  storage  than  that  allowed 
by  the  SDVS  image  (about  70  megabytes)  and  even  more  storage  than  that  allowed  by  the 
SDVS  image  we  created  specifically  for  the  MSX  verification  project  (300  megabytes).  We 
were  thus  unable  to  verify  the  correctness  for  these  four  messages. 

In  our  attempt  to  execute  the  inf-seq-of^61-msg-types  proof,  we  had  to  implement  three  new 
proof  rules  in  SDVS:  repeat,  loop,  and  if.  These  were  necessitated  by  the  sheer  size  of  the 
proof  and  are  discussed  in  the  next  section.  As  we  said  in  the  previous  page,  we  were  never 
able  to  complete  inf^eq-of-61-msg-types,  because  the  system  never  stayed  up  long  enough 
for  us  to  complete  it.  But  we  were  able  to  complete  57  of  the  cases  in  separate  proofs. 

Towards  the  latter  part  of  the  project,  we  realized  that  many  of  our  time  and  storage 
problems  would  be  solved  if  we  proved  adalemmas  for  some  of  the  key  subprograms  in 
BUILD  and  in  CMDJNJBANDLER.  We  were  able  to  complete  adalemmas  for  two  of  the  main 
procedures  in  BUILD,  and  these  are  described  in  Section  6. 
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3  Enhancements  Made  to  SDVS  for  the  MSX  Verification 
Project 


There  are  two  main  types  of  enhancements  we  made  to  SDVS  for  the  MSX  verification 
project:  enhancements  to  the  SDVS  Ada  environment  and  the  addition  of  three  proof 
commands  not  specific  to  that  environment. 

We  first  list  and  comment  on  the  SDVS  Ada  environment  enhancements.  The  first  five  in 
the  list  are  standard  Ada  constructs  (see  [5]),  whereas  the  others  are  improvements  to  the 
SDVS  Ada  proof  environment. 

(i)  Integer  subtypes: 

One  of  the  important  aspects  of  the  addition  of  integer  subtypes  to  the  Ada  translator 
is  that  an  assignment  to  an  integer  subtype  object  is  allowed  by  SDVS  only  if  the  value 
assigned  to  the  object  is  within  the  range  of  the  subtype. 

(ii)  Integer  definition  types: 

The  restrictions  on  assignment  are  similar  to  those  for  integer  subtypes:  an  assignment 
to  an  integer  definition  type  object  is  allowed  by  SDVS  only  if  the  value  assigned  to 
the  object  is  within  the  range  stipulated  by  its  type  definition. 

(iii)  Type  conversions: 

These  conversions  are  allowed  only  for  integer  numeric  types  (integer  types  and  integer 
definition  types). 

(iv)  UNCHECKED-CONVERSION: 

We  have  added  UNCHECKED-CONVERSION  only  for  integer  numeric  types. 

(v)  Length  representation  clauses: 

These  have  been  implemented  only  for  integer  numeric  types.  The  length  stipulated 
for  these  types  must  be  great  enough  to  represent  the  type’s  stipulated  range. 

(vi)  Markpoints: 

These  are  used  to  mark  Ada  statements.  We  have  added  this  marking  capability  to 
SDVS  to  allow  the  user  to  go  (execute  symbolically)  to  a  specific  marked  point  in  the 
program.  The  user  sets  a  mark  in  an  Ada  comment  line  just  before  the  statement 
being  marked,  using  the  notation  “ — (no  spaces): 

— @  foo 
X  :=  1; 

During  symbolic  execution,  this  yields  “.pc  =  at(foo)”  (where  “pc”  is  the  program 
counter)  at  the  point  where  the  state  delta(s)  representing  the  marked  statement  be¬ 
come  usable.  Despite  this  fact,  the  user  will  not  see  “#pc  =  at(foo)”  appear  explicitly 
in  the  postcondition  of  the  previously  applied  state  delta.  Any  Ada  statement  can 
be  marked.  Note  that  the  marked  program  remains  acceptable  to  an  Ada  compiler; 
the  marked  points  are  treated  as  comments  by  Ada  compilers.  A  mark  can  be  turned 
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into  a  regular  (uninterpreted  in  SDVS)  comment  simply  by  inserting  a  space  between 
the  “ — ”  and  the  or  by  beginning  the  whole  line  with  an  extra  pair  of  hyphens 
(even  a  single  hyphen  will  do,  so  long  as  it’s  not  followed  by  a  space). 

(vii)  adasubprogenv: 

This  query  command  is  quite  useful  in  connection  with  the  Ada  offline  characterization 
facility.  It  displays  the  mapping  of  fuUy  qualified  program  names  to  uniquely  qualified 
place  names  for  all  places  constituting  the  environment  for  the  proof  of  an  adalemma 
about  a  subprogram. 

(viii)  Improved  handling  of  Ada  array  constants: 

The  initialization  of  constant  arrays  in  SDVS  requires  inordinately  large  storage  and 
is  extremely  time-consuming.  We  had  to  add  special  Lisp  code  to  handle  these  initial¬ 
izations.  This  addition  is  experimental  and  is  not  incorporated  into  SDVS  12.  In  our 
proof,  we  load  the  file  “array .constant .lisp”  to  perform  the  initialization  of  constant 
arrays.  These  enhancements  will  be  added  to  a  future  version  of  SDVS  when  the 
implementation  is  more  robust. 

(ix)  Bugs: 

Some  of  the  things  we  have  been  calling  “bugs”  were  in  fact  restrictions  on  the  SDVS 
Ada  translator  of  which  we  were  not  aware.  For  example,  the  translator  did  not  allow 
the  following  declaration  in  the  package  SERIAL_DIG_CMDS: 

procedure  RET_CMD_BUF_AND_STATUS 


(Cmd.Buf 

out 

CMD.BUF.TYPE; 

Cmd_Status_Buf 

out 

CMD_STATUS_BUF_TYPE ; 

Cmd.Count 

out 

INTEGER; 

FIFO_Not_Empty_Count 

out 

INTEGER; 

I0_Status_Word 

out 

GLOBAL.TYPES.  WORDP¬ 

Lost.Cmd 

out 

RO  GLEAN)  ; 

The  reason  was  that  the  package  also  contained  the  object  declaration 
CmdJBuf  :  CMD.BUF_TYPE; 

We  removed  limitations  such  as  this  as  they  arose  in  the  course  of  the  project. 


In  the  course  of  our  proofs,  we  realized  that  the  addition  of  three  new  proof  commands  to 
SDVS  would  obviate  a  lot  of  repetitive  work.  These  three  commands  are  loop,  repeat,  and 
if.  Since  we  have  not  tested  them  extensively,  we  have  not  added  them  to  SDVS  12.  These 
commands  enabled  us  to  write  a  “meta-level”  proof;  instead  of  writing  57  subproofs  for  the 
57  cases  in  the  MSX  proof,  we  wrote  one  meta-level  proof  for  all  these  cases. 

The  loop  command  has  the  syntax;  “UNTIL  <condition>  WITH  <proof-name>.”  It  is  effec¬ 
tively  a  generalization  of  the  go  command,  except  that  instead  of  simply  executing  apply 
commands  until  <condition>  is  true,  it  repeatedly  interprets  (executes)  the  proof  <proof- 
name>  until  the  condition  is  true. 
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The  repeat  comm  and  has  the  syntax  “<proof-name>  ITERATING  ON  <iteration-variable> 
FROM  <Iower_bound>  TO  <upper_bound>.”  It  allows  the  user  to  write  a  parameter¬ 
ized  proof  (that  is,  a  proof  which  involves  the  <iteration-variable>)  and  then  to  execute 
the  proof  <proof-name>  successively  with  each  value  in  the  range  from  <lower_bound> 
to  <upper_bound>  substituted  for  <iteration-variable>.  The  formulas  <lowerJ30und>  and 
<upper_bound>  must  simplify  to  integer  values. 

The  if  command  has  the  syntax  “IF  <condition>  THEN  <proof-name>.”  This  command 
interprets  the  proof  <proof-name>  if  <condition>  is  true,  and  does  nothing  otherwise. 
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4  Modifications  to  the  Code 


In  this  section  we  list  the  extensive  modifications  we  made  to  the  target  software.  The  great 
majority  of  these  modifications  were  necessary  either  because  the  SDVS  Ada  translator 
does  not  handle  Ada  tasking  or  because  parts  of  the  target  software  were  written  in  1750A 
assembly.  The  entire  program  appears  in  Appendix  A.  We  have  marked  every  statement 
that  we  deleted  or  replaced  in  the  SERIAL_DIG.CMDS  and  APP_MSGS  packages. 


1.  Ada  with  clause: 

Our  original  intent  was  to  implement  the  with  clause  into  the  SDVS  Ada  translator. 
During  our  work  on  the  design  of  the  implementation,  we  realized  the  implementation 
would  take  a  great  deal  of  time  that  would  be  better  spent  on  the  other  Ada  constructs, 
since  we  could  achieve  part  of  the  effect  of  the  with  clause  by  simply  ordering  the 
packages  in  the  main  program  in  the  “right”  order.  In  many  cases,  if  the  with  clause 
were  not  used  when  needed  in  the  original  software,  it  would  not  be  possible  to  compile 
the  packages.  We  do  not  claim  that  the  way  we  dealt  with  this  clause  is  not  prone 
to  error.  However,  we  don’t  think  our  solution  allowed  us  to  prove  the  correctness 
of  code  (under  the  circumstances  stipulated  by  our  input  condition)  that  was  in  fact 
incorrect. 

2.  Ada  tasks: 

We  have  probably  belabored  this  point:  SDVS  does  not  currently  handle  tasking. 
We  declared  the  tasks  as  procedures  and  deleted  any  Ada  construct  that  is  specific  to 
tasking.  Thus,  we  deleted  the  simple  loops  in  the  three  procedures  that  were  originally 
tasks  as  well  as  the  pertaining  exits.  A  simple  loop  requires  an  infinite  execution  of 
its  body,  unless  an  exit  in  the  loop  intervenes.  Thus,  the  purpose  of  a  simple  loop  in  a 
task  is  to  ensure  that  the  task  executes  infinitely  often.  Once  we  changed  a  task  to  a 
procedure  and  deleted  the  simple  loop  in  its  body,  the  procedure’s  infinite  execution 
could  be  ensured  only  by  the  scheduler  we  developed.  We  had  to  delete  the  simple 
loops  in  these  procedures,  because  otherwise,  once  one  of  these  procedures  was  called 
by  the  scheduler,  it  would  never  relinquish  control  of  the  execution  to  the  others. 
The  scheduler  now  performs  the  function  of  the  simple  loops,  that  is,  to  execute  the 
procedures  repeatedly. 

We  also  deleted  the  exception  handlers:  they  were  used  only  for  tests  involving  the 
tasks. 

We  deleted  calls  to  the  Tartan-supplied  ARTCLIENT  that  is  used  in  the  code  to  enter 
and  leave  critical  sections  of  the  tasks  and  the  interrupt-driven  procedure. 

3.  Ada  pragma: 

We  deleted  all  pragmas.  As  we  noted  in  [1],  pragmas  are  instructions  to  the  compiler 
and  are  generally  not  meant  to  change  the  semantics  of  an  Ada  program.  In  almost 
aU  instances,  the  pragmas  in  the  target  software  involved  either  tasking  or  interfacing 
with  the  1750A  assembly  code.  (The  pragmas  we  deleted  are  elaborate,  priority,  pack, 
Foreign-Body,  and  Linkage-Name.) 
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4.  INTRINSICS  and  INTRINSIC_FUNCTIONS: 

We  deleted  all  references  to  the  Tartan-supplied  INTRINSICS  package.  The  INTRIN¬ 
SIC-FUNCTIONS  package  consists  of  generic  instantiations  of  generic  functions  appear¬ 
ing  in  the  INTRINSICS  package.  We  characterized  the  instantiations  we  needed  in  the 
target  code  (andJ,  AND.WORD,  AND_BYTE,  and  ORJ)  by  adalemmas. 

5.  Embedded  calls  to  1750A  code: 

We  enumerate  and  comment  upon  the  instances  of  calls  to  1750A  assembly  subpro¬ 
grams  in  target  code. 

•  In  CMDJN-HANDLER,  a  call  is  made  to  the  ASM-UTILITY.  CHECK-PARITY  function 
to  obtain  the  parity  of  a  command.  We  provided  a  trivial  Ada  body  for  the  parity 
function  that  always  returns  good  parity  (true).  This  solution  is  not  entirely 
satisfactory  because  it  does  not  allow  the  possibility  of  checking  the  code  to 
determine  what  happens  if  a  command  does  not  have  good  parity.  Our  original 
intent  was  to  give  an  offline  characterization  of  CHECK-PARITY,  allowing  the 
possibility  of  returning  false  in  certain  cases.  We  did  not  have  the  time  to  do 
this. 

•  CMDJN-HANDLER  services  an  interrupt  indicating  that  there  is  a  command  to  be 
retrieved  from  the  FIFO  buffer.  It  obtains  the  command  by  the  following  caU: 

MEMORY.MANAGER . READ.FIFO (Cmd_In.FIFO_Addr , 

Cmd.Unpacked ’ address , 

Cmd-Size) ; 

(MEMORY-MANAGER  is  written  in  1750A  assembly.)  We  chose  this  to  be  the 
point  at  which  the  target  code  obtains  input,  and  substituted  the  above  call 
to  MEMORY_MANAGER.READ_FIFO  by  a  “for”  loop  that  gets  four  bytes  for  the 
command  from  the  standard  input. 

•  In  PROCESS-MSG,  a  call  is  made  to  MEMORY-MANAGER.CONV-TYPE  to  assign 
the  value  of  New-App-Msg(2)  (an  integer)  to  Temp-WordJ.  (a  word).  The  body 
of  CONV-TYPE  is  written  in  1750A.  We  replaced  this  call  by  a  type  conversion: 
Temp_Word_l  :=  GLOBAL-TYPES. WORD (New. App.Msg (2) ) ; 

In  MANAGE-MSG-RETRIEVAL,  another  caU  is  made  to  MEMORY-MANAGER.CONV-TYPE 
to  convert  each  word  stored  by  an  array  of  words  to  an  integer.  We  replaced  this 
caU  by  the  foUowing  Ada  type  conversion: 

for  index  in  1  . .  Num_Words_Curr_App_Msg  loop 

App_Msg_Out (index)  :=  INTEGER(App_Msg_0(0_Head) (index)) ; 

end  loop; 

•  Again,  in  CONTINUE_BUILD,  a  caU  is  made  to  MEMORY-MANAGER.CONV-TYPE 
to  convert  an  integer  to  a  word.  We  replaced  this  caU  by  an  Ada  type  conversion. 

6.  Hexadecimal  Notation: 

We  have  replaced  aU  hexadecimal  literals  by  equivalent  decimal  literals. 
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7.  Two-dimensional  arrays: 

We  have  replaced  all  two-dimensional  arrays  with  one- dimensional  arrays  of  one¬ 
dimensional  arrays. 

8.  Ada  others  initialization  construct: 

Originally,  we  intended  to  add  the  others  initialization  construct  to  the  SDVS  Ada 
translator,  but  we  did  not  have  time  to  do  it.  However,  in  every  case  it  is  used  in  the 
target  code,  it  is  used  to  initialize  arrays  or  records  with  values  that  are  never  actually 
used  within  this  code.  We  simply  deleted  these  initializations.  In  SDVS,  these  objects 
would  simply  have  unknown  symbolic  values  initially.  Since  nothing  is  known  about 
these  values,  nothing  could  be  proved  from  the  assumption  that  they  are  unknown. 

9.  Ada  WRITELN  a^nd  WRITESTRING: 

We  deleted  all  WRITELN  a-nd  WRITESTRING  constructs,  which  are  not  part  of  the 
standard  Ada  definition  but  are  accepted  by  the  Tartan  compiler.  These  constructs 
appear  in  the  target  software  for  testing  purposes  only. 

10.  Ada  POSITIVE  type: 

This  predefined  subtype  is  used  in  the  package  CMDS.TYPES.  We  replaced  these  oc¬ 
curences  by  equivalent  code.  For  example,  we  replaced  the  declaration 

subtype  INDEX.SUBTYPE  is  POSITIVE  range  1 . .App_Msg_Max; 

by  the  declaration 

subtype  INDEX_SUBTYPE  is  INTEGER  range  1 . .App_Msg_Max; 

11.  Unconstrained  array  types: 

There  is  one  unconstrained  array  type,  APP-MSG_OUT_TYPE,  defined  in  CMDS.TYPES. 

We  redefined  this  type  to  be  a  constrained  array  type  with  the  maximum  range  pos¬ 
sible: 

App_Msg_Mcix  :  constant  INTEGER  :=  80; 

— SDVS  comment:  The  predefined  type  POSITIVE  is  not  implemented  in  SDVS. 

— SDVS  delete:  subtype  INDEX_SUBTYPE  is  POSITIVE  range  1 . . App_Msg_Max; 

subtype  INDEX_SUBTYPE  is  INTEGER  range  1 . . App_Msg_Max; — SDVS  replace 
— SDVS  comment :  SDVS  does  not  currently  hcindle  unconstrained  array  types . 

— SDVS  delete  (unconstrained  array) :  type  APP_MSG_OUT_TYPE  is 
—SDVS  cont:  array  (INDEX.SUBTYPE  rangeO)  of  INTEGER; 

type  APP_MSG_OUT_TYPE  is  array  (1  ..  App_Msg_Max)  of  INTEGER;  —SDVS  replace 

Load_Msg_Max  :  constant  INTEGER  :=  127; 

type  L0AD_MSG_TYPE  is  array  (1 . .Load_Msg_Max)  of  INTEGER; 

12.  Array  slices 

In  PROCESS_MSG,  a  slice  of  the  array  New_App_Msg  is  written  to  EEPROM  by  the 
call 
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—  Strip  off  New_App_Msg(l)  which  contains  opcode, 

—  the  contents  of  data  structure  (including  checksum) is 

—  stored  in  New_App_Msg(2)  thru  (Data_Struc_Length+l) . 

— New_App_Msg(l . .Data_Struc_Length)  := 

New_App_Msg(2. .Data_Struc_Length+l) ; 
EEPROM.DATA . STORE_DATA_STRUC_IN_EEPROM 

(New_App_Msg(2. .Data_Struc_Length+l) , 
Data_Struc_ID, 

Data_Struc_Length) ; 

The  slice  is,  in  fact,  the  entire  message.  Since  the  SDVS  Ada  translator  does  not 
handle  array  slices,  we  have  replaced  the  above  call  by 

EEPROM.DATA . STORE.DATA.STRUC.IN.EEPROM 
(New.App.Msg, 

Data.Struc.ID , 

Data.Struc.Length) ; 

The  procedure  STOREJlATA.STRUCJNJiEPROM,  whose  body  we  wrote,  simply  out¬ 
puts  the  array  slice  from  2  to  Data.Struc.Length  +  1. 
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5  Proofs  for  an  Infinite  Sequence  of  Data  Structure  Mes¬ 
sages 

We  have  finished  a  proof  that  MSX_PROGRAM_FINAL_VERSION,  a  suitably  modified  version 
of  the  original  program,  correctly  processes  infinite  sequences  of  57  of  the  61  data-structure 
messages.  This  section  contains  a  discussion  of  the  proof  and  Appendix  B  contains  the 
complete  proof. 

Before  we  discuss  the  proof  itself,  we  must  first  note  a  few  facts  about  input  and  output  in 
SDVS  for  Ada  programs  in  general,  and  input  and  output  in  the 

MSX_PROGRAM_FINAL_VERSION  program  in  particular.  We  also  describe  the  scheduler  for 
this  program,  i.e.,  its  body,  in  the  following  section. 


5.1  Preliminaries  to  program  input  and  output 

For  each  program  translated  by  the  SDVS  Ada  translator,  SDVS  declares  two  objects,  stdin 
and  stdout,  to  be  one-dimensional  unbounded  arrays  of  polymorphic  type.  Stdin  is  the 
standard  input  array:  every  value  input  via  a  caU  to  the  function  get  is  obtained  from  the 
standard  input  array.  The  position  in  the  array  of  the  item  obtained  is  determined  by  the 
order  of  the  calls.  For  example,  if  get(x)  is  the  first  call  to  get  in  a  program,  then  object  x 
is  assigned  the  value  stored  in  stdin[l].  The  standard  input  array  is  constant  throughout 
the  execution  of  the  program.  The  standard  output  array,  stdout,  has  a  similar  function, 
although  unlike  stdin  it  changes  during  the  execution  of  a  program  when  the  function  put 
is  called.  In  SDVS,  assertions  about  the  input  or  the  output  of  a  program  are  assertions 
about  the  current  values  of  the  standard  input  array  and  the  future  values  of  the  standard 
output  array. 

In  the  design  of  the  target  software,  a  byte  is  eight  bits  long;  a  word  is  sixteen  bits  long;  and 
a  command  consists  of  two  words.  In  the  actual  Ada  code,  bytes  and  words  are  represented 
by  integers  constrained  to  specific  ranges.  Commands  are  represented  either  as  arrays  of 
four  bytes  or  as  records  with  four  fields,  each  field  corresponding  to  one  byte.  Although 
bytes  (words)  have  an  integer  parent  type,  they  encode  sequences  of  zeros  and  ones  that 
are  eight  (sixteen)  bits  long.  For  example,  if  the  integer  value  of  the  byte  B  is  seven,  then 
B  encodes  (i.e.,  contains)  the  bit  sequence  <  00000111  >. 

In  the  target  software,  CMDJN_HANDLER  obtains  a  command  by  the  call 


MEHORY.MANAGER . READ.FIFO (Cmd_In_FIF0_Addr , 

Cmd.Unpacked’ address , 

Cmd.Size) ; 

Cmd_XJnpacked  is  an  array  of  four  bytes,  and  MEMORY_MANAGER.READJFIFO  is  a  procedure 
with  a  body  written  in  1750A  assembly  code.  We  have  substituted  this  call  by  the  following: 
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for  i  in  1  . .  4  loop 
get(cmd_xinpacked(i) ) ; 
end  loop ; 

Thus,  every  call  to  CMDJNJSANDLER  gets  four  elements  (bytes)  from  the  standard  input 
array. 

In  the  target  software,  PROCESSJdSG  “writes”  a  message  to  EEPROM  by  the  call 


EEPROM.DATA . STORE_DATA_STRUC_IN_EEPROM 

(New_App_Msg(2. .Data_Struc_Length+l) , 
Data_Struc_ID, 

Data_Struc_Length) ; 

New_App_Msg,  an  array  of  words,  is  the  processed  message. 

In  our  modified  code,  we  have  changed  this  call  to 


EEPROM.DATA . STORE.DATA.STRUC.IN.EEPROM 

(New_App_Msg, 

Data_Struc_ID , 

Data_Struc_Length) ; 

and  decided  to  stop  the  message  processing  at  this  step.®  At  this  point,  the  message  has 
been  built;  we  have  changed  the  body  of  STOREJDATA_STRUCJNJEEPROM  so  that  it  simply 
outputs  the  message  as  follows: 


procedure  STORE_DATA_STRUC_IN_EEPROH 


(Array.Of .Words 

:  in 

CMDS.TYPES . APP.MSG.OUT.TYPE ; 

Data.Struc.ID 

:  in 

INTEGER; 

D  at  a. Struc .L  ength 

:  in 

INTEGER)  is 

begin 

for  i  in  2  . .  Data_Struc_Length  +  1  loop 
put (Array_0f .Words (i) ) ; 
end  loop; 

end  STORE_DATA_STRUC_IN_EEPROM; 


^We  decided  to  verify  the  load  to  EEPROM  up  to  this  point  only,  since  the  message  has  been  built  at 
this  point,  and  the  machinery  for  the  “write”  to  EEPROM  has  been  initiated.  The  execution  that  follows 
in  the  original  MSX  software  shortly  leads  to  the  invocation  of  procedures  written  in  1750A  code. 
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Thus  every  call  to  STORE_DATA_STRUC JN-EEPROM  puts  a  message  in  the  standard  output 
array,  word  by  word. 

Having  discussed  the  points  at  which  calls  to  get  and  put  occur  in  the  modified  software, 
we  may  now  present  the  order  of  execution  of  the  modified  interrupt-driven  procedure  and 
the  modified  tasks.  The  execution  order  is  determined  by  the  body  of 
MBX-PROGRAHJINAL-VERSION: 


begin 

— 0  loop_begin 


loop 

SERIAL.DIG.CMDS . CMD_IN_HANDLER; 

for  i  in  2  ..  APP_MSGS.RET_MSG_LENGTH (SERIAL.DIG.CMDS. RET_MSG_ID)  loop 
SERIAL.DIG.CMDS . CMD.IN.HANDLER; 
end  loop; 

APP.MSGS. BUILD; 

APP.MSGS . PROCESS.MSG ; 
end  loop; 


end  MSX.PROGRAM.FINAL.VERSIDN; 


Each  iteration  of  this  loop  accomplishes  four  things.  In  order,  they  are  as  follows: 

•  The  first  command  of  the  next  message  is  read  (caU  to 
SERIALJDIG.CMDS.CMDJNJSANDLER). 

•  The  remaining  commands  of  the  next  message  are  read  (/or  loop). 

•  The  data  for  the  newly  read  message  are  extracted  and  put  into  a  new  format  con¬ 
sisting  of  words  (call  to  APPJdSGS. BUILD). 

•  These  words  are  output  (call  to  APPJ»ISGS.PR0CESS_MSG). 

A  property  of  this  loop  crucial  to  the  proof  is  that  it  processes  exactly  one  message  block 
on  each  iteration. 


5.2  The  correctness  assertion  for  MSX.PROGRAM J'INAL.VERSION 

The  correctness  assertion  for  MSXJ’ROGRAMJ'INAL.VERSION  is  the  state  delta 
infinitesequence-datastructure-messages.sd.  It  is  the  formal  equivalent  of  the  informal 
correctness  assertion  “the  Ada  program  MSXJ^ROGRAM  JINAL.VERSION  correctly  partitions 
and  reformats  an  infinite  input  stream  of  bytes  into  its  constituent  messages” . 
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(def sd  inf inite_sequeiice_data_structure_messages . sd 
"[sdpre:  (formulaCf inale. sd) , 

formula(input_places_dis joint .sd) , 
formula (output _places_dis j oint .sd) , 
ada(msx_program_f inal_version. a) , 

f ormula(checksum_f irst_k_bytes_message_n_def inition) , 
f ormula(checksum_def inition) , 
formula(msg_in_lh_def inition) , 
formula(msg_out_lh_ def inition) , 
formula(msg_input_begins_at_def inition) , 
formula(msg_output_begins_at_def inition) , 
f ormula(allowed_message_ids) , 
f ormula(input_condition) ) 


comod;  (all) 
mod:  (all) 

post:  (f ormula(output_condition) )  ]") 


The  first  three  formulas  in  the  precondition  of  this  state  delta  {finale. sd, 
inpuLplaces..disjoint.sd,  and  output-places-disjoint.sd)  are  state  deltas  that  are  used  in  the 
proof  of  infinite^equence-datastructurejmessages.sd.  Each  of  these  three  state  deltas  has 
been  proved  in  SDVS,  and  their  proofs  are  included  in  Appendix  B.  Usually  such  state 
deltas  are  written  as  lemmas  and  do  not  appear  in  the  precondition,  but  these  formulas 
contain  quantifiers  and  the  current  SDVS  implementation  cannot  handle  lemmas  that  con¬ 
tain  quantifiers.  In  normal  circumstances,  we  would  have  simply  proven  these  facts  in  the 
same  SDVS  session  with  the  main  proof,  but  the  way  we  conducted  the  final  proof  (ex¬ 
plained  in  more  detail  later)  meant  that  we  would  have  had  to  run  the  proofs  of  these 
state  deltas  (which  take  a  significant  amount  of  time)  many  times.  Since  we  were  already 
concerned  about  the  amount  of  time  the  main  proof  was  going  to  take,  we  decided  to  prove 
these  once  and  include  them  in  the  precondition  of  the  correctness  assertion  rather  than 
reprove  them  many  times. 

The  next  part  of  the  precondition  {ada(TnsxjprogramJinaLversion.a))  is  a  predicate  that 
corresponds  to  the  program  MSXJPROGRAM_FINAL.VERSION.  The  formula  input.condition 
in  the  precondition  specifies  the  input  condition  for  this  program:  it  depends  on  the  formu¬ 
las  checksum-first-k-bytes-Tnessagejn-definition,  checksum-definition,  msg-inJh-definition, 
msg-outJh-definition,  msgJnput-begins-at-definition,  and  allowed-messageJds.  The  formula 
output-condition  in  the  postcondition  specifies  the  output  condition;  it  depends  on  the  for¬ 
mulas  msg-out-lh-definition  and  msgJnput-begins-at-definition. 

The  formula  allowed-message-ids  and  those  formulas  whose  names  end  in  -definition  are  used 
in  the  correctness  assertion  only  to  help  define  the  input  condition  and  output  condition,  and 
are  strictly  speaking  unnecessary:  that  is,  we  could  have  written  the  correctness  assertion 
without  them.  We  feel,  however,  that  they  aid  greatly  in  simplifying  the  proof  and  in 
making  it  understandable.  In  the  next  two  subsections,  we  will  discuss  first  the  formulas 
used  in  the  input  condition,  and  then  the  formulas  used  in  the  output  condition. 
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5.2.1  The  input  condition 


In  this  subsection  we  will  discuss  in  detail  the  input  condition  for  the  program.  As  mentioned 
earlier,  the  main  formula  used  to  specify  the  input  condition  is  the  formula  input-condition 
below  (this  formula  is  taken  directly  from  page  146  in  Appendix  B). 

(defformula  input .condition 

"forall  X  (forall  z  (x  ge  1  — > 

;  The  first  byte  is  always  1 

((z  =  1  — >  .stdin[msg_input_begins_at(x)  +  (z-1)]  =  1)  & 

;  The  second  byte  is  always  2 

(z  =  2  — >  .stdin[msg_input_begins_at(x)  +  (z-1)]  =  2)  & 

;  The  third  byte  is  the  message  identifier 

(z  =  3  — >  .stdin[msg_input_begins_at(x)  +  (z-1)]  =  msg_id(x))  & 

;  As  for  the  remaining  bytes . . . 

((4  le  z  &  z  le  msg_in_lh(x) )  — > 

;  If  it’s  the  first  byte  of  a  command,  it’s  an  eight 
((z  mod  4=1  — > 

.stdin[msg_input_begins_at(x)  +  (z-1)]  =  8)  & 

;  Otherwise,  we  only  know  it’s  a  byte 
(z  mod  4  '=  1  — > 

is.byte(.stdin[msg_input_begins_at(x)  +  (z-1)]))))  & 

;  First  checksum  byte  is  the  high  bits  of  the  checksum  word 
;  for  message  x 

((z  =  ((8  *  msg_out_lh(x)  -  2)  /  3))  — > 

.stdin[msg_input_begins_at(x)  +  (z-1)]  = 
high.bits(checksum(x)))  & 

;  Second  checksum  byte  is  the  low  bits  of  the  checksum  word 
;  for  message  x 

((z  =  ((8  *  msg_out_lh(x)  +2)  /  3))  — > 

.stdin[msg_input_begins_at(x)  +  (z-1)]  = 
low .bits (checksum(x) )))))") 


This  formula  (in  conjunction  with  other  formulas)  specifies  an  infinite  sequence  of  data 
structure  messages:  the  embedded  comments  show  how  it  corresponds  to  the  informal 
specification  of  a  data-structure  message  given  in  [1].  Examination  of  this  formula  reveals 
that  it  depends  on  the  macros  is.byte(x),  high.bits(x),  and  low.bits(x),  and  on  the  functions 
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msg-input-heginsjat,  Tnsg-inJh,msgJd,  and  checksum.  We  will  first  explain  the  macros, 
then  the  functions  msg -input -begins msg-inJh,  and  msg-id.,  and  finally  the  function 
checksum.  In  the  course  of  explaining  these  functions  (and  other  functions  used  to  define 
them),  we  will  explain  aU  of  the  functions  in  the  precondition. 

First  the  macros.  The  macro  is.byte(x)  is  true  when  x  is  between  0  and  255,  inclusive,  false 
otherwise.  The  macros  high.bits(x)  and  low.bits(x)  are  used  to  represent  the  most  and  least 
significant  eight  bits  of  a  word,  respectively. 

We  wiU  now  discuss  those  functions  used  in  the  input  condition.  To  clarify  the  following 
discussion,  we  have  provided  Table  1,  which  illustrates  the  values  of  the  functions  for  a 
message  sequence  whose  first  three  messages  in  order  have  identifiers  22,  10,  and  1.  AU  of 
the  constituent  bytes  of  the  first  two  messages,  and  the  first  six  of  the  third,  are  shown  in 
Table  1.  This  table  also  includes  a  condensed  display  of  the  nth  message  to  iUustrate  the 
values  of  these  functions  for  input  value  n. 

The  function  msgJnput-beginsjxt  plays  an  important  role  in  specifying  the  input.  As  the 
name  suggests,  the  value  of  this  function  at  x  is  the  location  of  the  byte  where  the  xth  mes¬ 
sage  begins.  Thus  the  first  byte  of  the  xth  message  is  .stdin[msg -input J)eginsjat{x)],  the 
second  is  .stdin[msg-input-beginsJit{x)  +  1],  etc.  This  function  is  defined  in  the  foUowing 
way: 


(def formula  msg_input_begins_at_def inition 
"forall  X  (msg_input_begins_at(l)  =  1  & 

((x  gt  1)  — > 

(msg_input_begins_at(x)  = 
msg_input_begins_at (x-1)  +  msg_in_lh(x-l) ) ) ) ") 


This  definition  is  based  on  the  observation  that  the  first  byte  of  the  rth  message  is  one 
plus  the  sum  of  the  lengths  of  the  preceding  messages.  We  can  see  this  by  expanding  the 
definition  above  at  x: 

msg-input-begins-at{x)  — 
msg-input-beginsjat{x  —  1)  +  msg-injh(x  —  1)  = 
{msg-input-begins.at{x  —  2)  +  msg-inJh{x  —  2))  -|-  msgJnJh^x  —  1)  = 


(. .  .((1  +  msg-inJh{l))  +  msg-inJh{2))  +  . . .  +  msgJnJh^x  —  2))  -t-  msg-inJh(x  —  1) 

The  function  msg-inJh  used  above  is  defined  in  the  formula  msg-inJh-definitionon  page  142 
in  Appendix  B.  This  definition  is  based  on  the  specification  of  the  message  input  lengths 
as  determined  by  the  message  identifier.  The  formula  msg-inJh-definition  employs  the 
function  msg-id{x),  which  as  we  can  see  from  the  formula  input-condition  above,  returns 
the  same  value  at  x  as  the  message  identifier  for  message  x  (i.e.,  the  third  byte  of  message 
r).  An  important  part  of  the  input  condition  is  the  formula  allowed-messageJds  (given  on 
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Table  1:  Example  Input  Sequence 


Byte 

Value 

Block  1 

1  (=  msgjinputJ)eginsjat{l)) 

1 

2 

2 

3 

22  (=  msg-id{\)) 

4 

d\,\ 

5 

8 

6 

di,2 

7 

high.bits{checksum{l)) 

8 

low.bits{checksum{l)) 

Block  2 

9  (  =  msg -input J}egins^t{2)) 

1 

10 

2 

11 

10  (=  msg-id{2)) 

12 

d2,i 

13 

8 

14 

d2,2 

15 

d2,3 

16 

d2,4 

17 

8 

18 

high.bits{checksum{2)) 

19 

low.bits{checksum{2)) 

20 

spare 

Block  3 

21  (  =  msg -input  J}eginsjat{Z)) 

1 

21 

2 

22 

1  (=  msg-id{3)) 

23 

dz,\ 

24 

8 

25 

dz,2 

• 

; 

Block  n 

msg-input-begins-at{n) 

1 

msg-input-heginsjxt{n)  +  1 

2 

msg-input-beginsMt(n)  +  2 

msg-id(n) 

msg-input-beginsjxt{n)  +  3 

dn,l 

msg-input-beginsjit(n)  +  4 

8 

msg-input-begins-at{n)  +  5 

dn,2 

msg-input-heginsjat{n)  +  msg-inJh{n)  —  1 

low.bits{checksuTn{n))  or  spare 

Block  n  +  1 

msg-input-beginsjit{n  +  1) 

1 

I 
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page  141  of  Appendix  B),  which  constrains  the  value  of  msgJd{x)  (and  hence  the  third 
byte  of  message  x)  to  be  a  legitimate  message  identifier. 

Finally,  the  function  checksum  (defined  on  page  146  in  the  Appendix)  represents  the 
result  of  the  program’s  calculation  of  a  message’s  checksum.  This  function  is  defined 
with  the  help  of  two  other  functions:  sdvsjxorjword{x,  y),  which  corresponds  to  the  Ada 
XOR.WORD(X,Y)  function;  and  checksum-first-kJ)ytes-message-n{n,k),  which  uses  the 
sdvs-xorjword  function  and  represents  the  result  of  the  checksum  calculation  on  the  first 
k  words  of  the  nth  message. 

The  position  of  the  checksum  bytes  is  given  in  the  formula  input-condition  in  terms  of  the 
function  msg-OutJh.  This  function  and  the  function  msg-output-heginsjad  are  defined  for 
output  in  the  same  way  that  are  msgjinJh  and  msgJnput-beginsjit  are  defined  for  input. 
We  will  discuss  msg-outJh  and  msg-output-beginsjat  in  the  next  section. 


5.2.2  The  output  condition 

The  output  condition  for  the  correctness  assertion  is  given  by  the  formula  output-condition 
below: 


(defformula  output .condition 

"x  ge  1  — >  (forall  z  ((  llez&zle  msg_out_lh(x) ) 

— >  #stdoutCmsg_output_begins_at(x)  +(z-l)3 

=  mk.word(.stdin [ms  g_ input .begins. at (x) 
+  ((8  *  z  -  5)  /  3)]  , 

. stdin [msg.input .begins. at (x) 
+  ((8  *  z  -  1)  /  3)])))") 


This  formally  expresses  the  relationship  between  the  input  and  output  given  informally 
in  [1],  which  in  brief  may  be  stated  “the  output  for  a  message  is  obtained  by  extracting 
the  actual  data  bytes  from  the  input  for  that  message  and  forming  them  into  words”. 
This  formula  depends  on  the  macro  mk.word  and  the  functions  msg-outputJbeginsjat  and 
msg-outJh.  The  macro  mk.word(x,y)  is  a  function  that  gives  the  integer  value  of  a  word 
whose  high  bits  are  the  byte  x  and  whose  low  bits  are  the  byte  y.  This  macro  is  used  to 
capture  succinctly  the  operation  of  “...forming  them  into  words”,  given  in  the  quotation 
earlier  in  this  paragraph. 

As  indicated  earlier,  the  functions  msg-output-beginsjat  and  msg-outJh  (defined  on  pages 
145  and  144,  respectively)  are  the  analogues  of  msg-input-begins-at  and  msg-inJh  for 
output.  As  with  the  input  condition,  for  clarification  we  include  a  table  (Table  2)  of  the 
output  for  the  input  given  in  Table  1.  Comparing  Table  1  and  Table  2  shows  that  the 
input  and  output  for  the  example  sequence  do  in  fact  have  the  relationship  stated  in  the 
quotation  in  the  preceding  paragraph,  with  the  last  word  of  the  output  for  message  n  being 
the  checksum  for  that  message  [i.e.,  checksum(n)]. 
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Table  2:  Example  Output  Sequence 


Word 

Value 

Block  1 

1  (=  msg-Output-heginsjat{l)) 

mk.word{2, 22) 

2 

mk.word{di^i,  ^1,2) 

3 

checksum{l) 

Block  2 

4  (=  msg -Output J>eginsjit{2)) 

mk.word{2, 10) 

5 

mk.word{d2^i,  ^2,2) 

6 

mk.word{d2^3,  ^2,4) 

7 

checksum{2) 

Block  3 

8  (=  msg-Output-beginsjat{3)) 

mk.word{2, 1) 

9 

mk.word{d3j,  <^3,2) 

j 

Block  n 

msg-output-hegins-at{n) 

mk.word{2,  msgJd{n)) 

msg -Output  J)eginsMt{n)  -f  1 

mk.word{dn^i,  dn,2) 

j 

msg-input-beginsjit{n)  +  msg-outJh{n)  —  1 

checksum{n) 

Block  n  -f  1 

msg -input  J)eginsjat{n  -fi  1) 

mk.word{2,  msg-id{n  +  1)) 

; 

5.3  The  proof  of  infinite_sequence_data_structure_messages.sd 
In  this  subsection  we  will  talk  about  the  proof  of  the  state  delta 

infinite-sequence-data-structure.messages.sd.  We  will  present  here  the  proof  given  in  Ap¬ 
pendix  B  (which  is  there  presented  in  a  “bottom-up”  fashion)  in  a  “top-down”  style,  pro¬ 
ceeding  from  a  high-level  view  of  the  proof  through  increasing  levels  of  detail. 

As  we  have  mentioned  before,  MSXJPROGRAM_FINAL_VERSION  has  an  infinite  loop  as  its 
main  body.  Our  proof  strategy  in  the  proof  of  infinitesequence-datastructure-messages.sd 
{main. proof  on  page  197  of  Appendix  B)  is  to  execute  symbolically  to  the  beginning  of 
this  loop  and  to  then  use  loop  induction.  As  is  typical  with  loop  induction,  we  chose  a 
loop  invariant  weak  enough  to  be  proved  after  symbohcally  executing  through  the  loop,  but 
strong  enough  to  imply  the  goal  when  the  induction  was  finished.  In  our  case,  the  invariant 
of  the  loop  induction  is  the  following: 


comment  "Starting  induction...". 


induct  on :  n 

from:  1 
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X  +  1 


to ; 

invariants : 

( 

; Needed  for  covering  information 

pcoveringC .msx_program_f inal_version,old_universe) , 

; Variable  values 

.build_in_progress  =  false, 

.cmd_ count  =  0, 

.lost.cmd  =  false, 

.app_msg_counter  =  0, 

; Queue  variables  and  bounds 

.q_head 

=  1  +  .q_tail  mod  .app_msg_q_size, 

.q.head  ge  origin ( app_msg_q) , 

.q.head 

le  (origin(app_msg_q)  + 
range (app_msg_q))  -  1, 

.q_tail  mod  .app_msg_q_size  +  1 
ge  origin (app.msg.q) , 

.q_tail  mod  . app_msg_q_size  +  1 
le  (origin(app_msg_q)  + 
range (app_msg_q))  -  1, 

,* State  delta  at  beginning  of  loop 

f ormula(loopsd) , 

; Input /output  counters  are  where  they  should  be 

msg_input_begins_at(n)  =  .stdin\ctr, 
msg_output_begins_at(n)  =  .stdout\ctr, 

; Output  condition  is  true  after  execution  of  loop  when 
;n  =  X.  This  is  stated  in  this  way  due  to  efficiency 
; considerations  (i.e.,  the  more  straightforward  way 
; introduces  many  new  places  -  see  report  for  more  details). 

n  =  X  +  1  — >  formula(output_condition)) 
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The  crucial  formula  in  the  invariant  above  is  the  last  one.  When  the  loop  induction  is 
completed,  the  upper  bound  of  the  loop  a:  +  1  is  substituted  for  n  in  this  formula,  and  thus 
a;  +  l  =  a;  +  l-^  formula{output-condition)  is  true  after  the  induction  is  finished.lt  is 
then  easy  to  proceed  to  the  proof  of  f  or mula{output -condition).  Instead  of  this  formula, 
we  originally  tried  formula{output-condition)  with  n  substituted  for  x,  but  we  found  that 
using  this  in  the  invariant  caused  the  prover  to  slow  down  significantly  and  we  aborted  the 
proof  before  it  finished. 

Whenever  SDVS  encounters  a  new  place,  it  must  add  information  to  its  database  about 
whether  changes  to  that  place  cause  changes  to  any  of  the  places  already  in  the  database. 
Both  the  operation  of  adding  a  new  place  to  the  database  and  the  operation  of  checking 
to  see  what  other  places  are  affected  when  a  given  place  is  changed  can  be  time-consuming 
when  there  are  many  places  and  some  of  the  places  are  not  known  to  be  disjoint,  i.e.,  changes 
to  these  variables  may  cause  changes  to  other  variables.  Using  f  or mula{output -condition) 
with  n  substituted  for  x  in  the  invariant  of  the  induct  command  introduced  elements  of 
stdin  and  stdout  that  are  not  necessarily  disjoint  from  elements  of  these  arrays  introduced 
earlier  in  the  proof  (specifically,  via  the  postcondition  of  the  correctness  assertion,  which 
is  simply  f  ormula{output-condition))  and  thus  was  responsible  for  the  proof  proceeding 
slowly.  The  formula  we  actually  used  avoids  this  problem,  as  it  contains  exactly  the  same 
elements  of  stdin  and  stdout  as  formula{outputjcondition). 

As  with  any  loop  induction,  there  is  a  base  case  and  a  step  case:  these  are  handled  in  the 
main  proof  above  by  6ase_case.jproo/and  step-case.proof,  respectively.  The  base  case  proof 
is  short  and  straightforward,  as  most  of  the  goals  are  automatically  proved  by  SDVS.  The 
step  case  is  proved  by  doing  a  case  split  on  all  possible  values  of  msgJd(n),  and  then  using 
the  same  meta-level  proof  every-case. proof m  each  case  .  Aided  by  the  new  proof  commands 
loop,  repeat,  if  (described  in  an  earlier  section)  and  letq  (which  allows  quantified  formulas 
to  be  given  more  meaningful  names),  we  were  able  to  write  such  a  meta-level  proof  because 
of  the  similarity  of  the  proof  for  each  case. 

After  system  crashes  thwarted  our  attempts  to  complete  the  week-long  proof,  we  decided 
that  the  fuU  proof  would  be  done  in  a  number  of  separate  SDVS  runs  rather  than  a  single 
run.  This  was  by  done  using  different  versions  of  step.cose.proo/ (these  begin  on  page  168  of 
Appendix  B)  when  running  the  main  proof.  Each  of  these  versions  carries  the  proof  through 
only  for  certain  message  identifiers  and  defers  the  cases  for  other  message  identifiers.  For 
example,  the  first  version  of  step-case. proof  proves  correctness  for  the  case  msg-id{n)  =  1 
and  defers  all  the  other  cases.  These  versions  cover  all  possible  cases  except  for  message 
identifiers  53,  54,  55,  and  56.  The  messages  with  these  identifiers  are  all  substantially  longer 
than  any  of  the  other  messages,  and  because  of  the  structure  of  the  meta-level  proof,  the 
time  and  space  requirements  for  each  case  vary  directly  with  the  length  of  the  message 
treated  in  that  case.  SDVS  ran  out  of  storage  when  we  tried  to  run  proofs  of  these  cases, 
in  spite  of  efforts  such  as  increasing  the  amount  of  space  in  the  SDVS  image  and  modifying 
the  way  in  which  garbage  was  collected. 

In  the  proof  every-case.proof,  each  case  is  further  split  into  two  cases,  one  in  which  n  is  less 
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than  X  and  one  in  which  n  is  equal  to  x.  Although  this  split  entails  symbolically  executing 
through  the  loop  twice,  this  proof  was  much  faster  than  any  that  did  not  involve  the  ca^e 
split.  The  reason  for  the  slowness  of  the  proofs  without  a  case  split  is  essentially  the  same 
as  the  reason  (mentioned  a  few  paragraphs  ago)  for  the  slowness  of  the  proof  with  the 
original  invariant:  namely,  in  those  proofs  without  the  case  split,  the  prover  was  not  able 
to  recognize  the  disjointness  of  various  elements  of  stdin  and  stdout. 

Both  of  these  cases  in  every. case,  proof  have  a  common  part: 


interpret 

interpret 

interpret 

interpret 

interpret 


produce. input  _ informat ion , 

go_to_retum_from_call_to_ret_cmd_buf_and_status, 
f ix_axray_valu6S_after_call_to_ret_cmd_buf _and_status , 
handle.intrinsics.imtil.end.of .program, 
f inish.of f .non.output.goals , 


The  above  proof  commands  accomplish  the  following: 

•  Instantiate  the  formula  input-condition  for  the  appropriate  range  of  values  to  provide 
information  about  the  current  message’s  input  needed  to  execute  symbolically  through 
the  loop,  e.g.  instantiate  input-condition  with  3  to  inform  SDVS  that  the  third  byte 
equals  the  message  identifier  {produce-input-information)-, 

•  Symbolically  execute  until  the  end  of  the  procedure  RET_CMD.BUF.AND.STATUS  and 
then  execute  notice  and  consider  commands  to  “remind”  the  prover  of  values  that 
occurred  in  an  array  assignment  {go-to-return-from-calLto-ret-cmd-buf-andstatus  and 
fix-array-values-after-call-to-ret-cmd-buf-and-status)-, 

•  Symbolically  execute  until  the  beginning  of  the  loop  is  reached 
( handk-intrinsics-untiLend-of-program) ; 

•  Prove  all  of  those  goals  generated  by  the  induct  command  that  do  not  have  to  do  with 
the  output  condition  {finish-off-non-output-goals) 

In  the  case  where  n  is  less  than  x,  we  also  interpret  the  proofs  separateJnput-places  and  sep- 
arate-output-places  before  the  common  part  of  the  proof  given  above.  These  proofs  provide 
SDVS  with  enough  information  to  deduce  that  the  problematic  places  that  necessitated  the 
case  split  are  disjoint.  In  the  other  case  (where  n  is  less  than  x),  we  interpret  the  proof 
finish-off-output-goal  to  prove  the  goal  generated  by  the  induct  command  that  involves  the 
output  condition. 

The  central  part  of  every-case. proof  is  the  subproof  handk-intrinsics-untiLend-of-program. 
Stripped  of  comments  and  timing  commands,  this  proof  is  simply  the  proof  command 
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loop  until  f ormula(loopsd)  with  loop_body 


Thus  this  subproof  interprets  the  subproof  loopJbody  until  f  ormula{loopsd)  is  true,  i.e., 
execution  reaches  the  beginning  of  the  loop.  The  proof  loop-body  symbolically  executes 
until  (1)  the  call  of  an  intrinsic  function,  (2)  after  the  call  to  MANAGE_MSG_RETRIEVAL,  (3) 
at  the  program  label  after-checksum-calculation,  or  (4)  at  the  beginning  of  the  loop.  When 
(1)  occurs,  we  apply  an  adalemma  for  that  Ada  function.  At  (2),  we  again  need  to  “remind” 
SDVS  of  lost  array  values.  For  (3),  we  have  to  prove  that  the  checksum  calculation  yields 
the  same  value  as  the  word  formed  from  the  checksum  bytes.  When  (4)  is  true,  the  symbolic 
execution  of  the  loop  is  finished,  the  interpretation  of  handle-intrinsics-untiLend-of-program 
is  finished,  and  we  proceed  to  proving  the  goals. 

This  concludes  the  discussion  of  the  proof  of  the  correctness  assertion.  More  detail  about  the 
proof  is  contained  in  Appendix  B.  It  should  be  noted  that  in  some  sense,  this  proof  proceeds 
by  “brute  force.”  By  this  we  mean  that  rather  than  symbolically  execute  through  the  loop 
once  and  have  a  proof  that  takes  into  account  the  multiple  computation  paths  through  the 
loop  for  the  different  messages,  we  simply  split  it  up  into  cases  such  that  there  is  exactly 
one  computation  path  (and  hence  a  simpler,  in  fact  a  meta-level  proof)  for  each  case. 
Thus  the  way  we  have  chosen  to  prove  the  correctness  assertion  involves  many  relatively 
simple  proofs,  each  of  which  involves  symbolically  executing  through  the  loop  (and  is  thus 
time-consuming),  rather  than  a  single,  more  complicated  proof  that  symbolically  executes 
through  the  loop  once. 

One  way  to  improve  upon  the  approach  in  this  section  is  to  use  adalemmas  for  the  various 
procedures  in  the  program.  This  approach  is  explored  in  the  next  section. 
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Adalemmas  for  the  BUILD  task. 


6.1  Why  adalemmas? 

Adalemmas  are  in  essence  a  special  type  of  state  delta  that  can  replace  a  subprogram  call 
during  symbolic  execution  of  the  main  program.  Normally  symbolic  execution  proceeds 
through  the  point  of  a  call  to  a  subprogram  into  the  code  of  the  subprogram  itself.  E, 
however,  an  adalemma  for  the  subprogram  has  been  proved,  it  can  be  invoked,  and,  in  one 
step,  symbolic  execution  moves  ahead  to  the  return  from  the  call.  The  adalemma  should 
express  aU  the  significant  changes  to  the  program  state  that  might  result  from  execution 
of  the  subprogram,  so  that  it  is  irrelevant  to  the  larger  proof  in  progress  whether  the 
subprogram  code  was  executed  or  the  adalemma  was  invoked.  Further,  the  postcondition  of 
the  adalemma  would  normally  provide  descriptive  information  about  what  the  subprogram 
has  accomplished  that  would  otherwise  have  to  be  proved  during  symbolic  execution  of  the 
subprogram  code.  For  example,  an  adalemma  for  a  sorting  procedure  might  include  in  its 
postcondition  a  quantified  statement  asserting  that  the  output  array  is  sorted.  Finally,  if  a 
subprogram  is  called  at  several  places  in  a  program,  invocation  of  the  adalemma  replaces 
several  possibly  lengthy  symbolic  executions  of  the  subprogram  code.  Thus,  adalemmas 
offer  significant  efficiencies  in  symbolic  execution. 

However,  efficiency  is  neither  the  only  nor  the  most  important  consideration.  The  main 
purposes  of  adalemmas  are  as  follows: 

(1)  To  provide  a  vehicle  for  expressing  and  proving  abstract  properties  of  a  subprogram. 

(2)  To  permit  modular  construction  of  proofs  for  programs. 

(3)  To  enable  specifications  to  be  stated  within  the  scope  of  program  declarations. 

We  shall  briefly  discuss  each  of  these  points. 

(1)  Program  specifications  are  often  stated  for  sections  of  programs,  rather  than  for  an  entire 
main  program.  This  is  true  for  reasons  of  manageabihty,  conciseness,  intelligibility,  the  fact 
that  program  specifications  are  usually  better  stated  for  subprograms,  and  sundry  other 
considerations.  In  the  case  of  the  portions  of  the  MSX  code  under  consideration  in  this 
project,  a  high-level  specification  might  involve  the  behavior  of  interacting  asynchronous 
tasks;  it  is  unclear  whether  or  how  formal  verification  can  address  the  timing  considerations 
involved,  so  we  are  led  to  specifications  for  individual  tasks.  The  typical  situation  is  that 
one  has  a  specification  either  for  a  subprogram  or  for  some  programming  unit  that  can  be 
recast  as  a  subprogram  for  the  purposes  of  formal  verification.  Adalemmas  in  SDVS  are 
expressly  designed  to  meet  the  needs  of  this  situation. 

Further,  specifications  for  programs  are  usually  set  up  with  a  considerable  degree  of  ab¬ 
straction.  A  program  with  a  completely  concrete  specification  and  set  of  inputs  can  be 
verified  merely  by  testing;  there  is  no  need  for  formal  methods.  But  in  the  usual  situa¬ 
tion  of  infinitely  many  possible  inputs,  the  specifications  are  necessarily  either  abstract  or 
incomplete.  Adalemmas  facilitate  the  abstract  statement  of  specifications  for  subprograms. 
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(2)  Just  as  good  mathematical  proofs  are  usually  developed  through  a  series  of  lemmas  and 
subsidiary  arguments,  and  good  programming  style  calls  for  structured  and  modularized 
code,  so  program  verification  requires  modularization.  Without  this,  proofs  of  any  but  the 
simplest  programs  become  mired  in  a  mass  of  detail,  overwhelming  the  user  and  defying 
comprehension.  Adalemmas  make  it  possible  to  avoid  such  situations,  and  to  build  up 
proofs  for  complex  programs  in  a  step-wise  fashion. 

(3)  Adalemmas  enable  specifications  to  be  stated  within  the  scope  of  program  declarations. 
Without  adalemmas,  the  claim  of  correctness  of  a  program  with  respect  to  its  specifications 
(which  as  always  with  SDVS  is  formulated  as  a  state  delta  to  be  proved)  must  be  formulated 
outside  the  scope  of  the  program  declarations.  This  is  not  without  its  merits,  because 
then  the  program  is  treated  as  a  “black  box,”  and  the  verification  covers  the  declarations 
in  the  code  as  well  as  the  program  structure.  However,  this  makes  it  difficult  to  state 
things  abstractly,  since  all  parameters  involved  in  the  specification,  possibly  including  large 
collections  of  constants,  have  to  be  asserted  in  a  setting-up  phase  of  the  proof  preceding  the 
symbolic  execution  of  the  program.  On  the  other  hand,  an  adalemma  can  be  formulated  in 
a  context  in  which  reference  to  the  program  declarations  is  possible,  because  aU  declarations 
and  initializations  are  automatically  generated  by  the  translator;  this  facilitates  abstract 
treatment  and  usually  increases  the  generality  of  the  resulting  proof. 

This  point  is  perhaps  easier  to  see  if  we  examine  some  of  the  earlier  verification  efforts 
with  SDVS,  prior  to  the  availability  of  adalemmas.  One  of  the  first  examples  was  a  sorting 
procedure.  Since  the  specification  could  not  be  stated  for  the  procedure  alone,  it  had  to 
be  stated  for  an  enclosing  main  program  that  would  actually  test  the  procedure.  This 
program  would  read  in  an  array,  call  the  procedure,  and  write  out  the  result.  The  proof 
had  to  contain  an  induction  for  the  input  loop,  and  a  second  induction  for  the  output 
loop,  as  well  as  quantified  statements  expressing  the  connection  between  the  internal  SDVS 
data  structures  and  the  stdin  and  stdout  arrays.  All  of  this  really  had  nothing  to  do  with 
verification  of  the  target  procedure,  and  obfuscated  the  proof.  None  of  this  was  necessary 
once  the  adalemma  facility  was  introduced. 

As  mentioned  above,  there  are  some  conceptual  advantages  to  treating  the  whole  program 
from  the  outside — the  proof  isn’t  dependent  upon  the  declarations— but  it  is  arguable  that 
declarations  are  neutral  from  the  point  of  view  of  verification.  There  might  be  a  mistake  in 
program  declarations  that  a  “from  the  outside”  proof  would  detect.  But  there  could  just 
as  easily  be  a  mistake  in  the  part  of  that  proof  containing  the  assertions  that  correspond  to 
the  internal  declarations.  In  the  end,  the  (human)  verifier  must  compare  the  printed  speci¬ 
fications  with  the  encodings,  whether  in  the  proof  or  the  program  text.  Unlike  declarations, 
the  links  between  the  detailed  program  structure  and  the  specifications  of  functionality  are 
relatively  obscure,  so  formal  verification  has  something  to  olfer. 
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6.2  A  proof  strategy  for  BUILD 
6.2.1  The  BUILD  process 

In  this  section  we  give  a  reprise  of  the  BUILD  task.  We  assume  general  familiarity  with 
the  code,  and  our  purpose  here  is  merely  to  give  an  overview  of  BUILD  to  facilitate  our 
description  of  a  verification  strategy.  Tables  1  and  5  in  [1]  should  illuminate  parts  of  the 
discussion. 

The  BUILD  task  consists  mainly  of  a  nonterminating  loop.  At  the  beginning  of  the  loop,  some 
(0  or  more)  commands  which  have  been  received  are  placed  in  APP_MSGS .  CMD_BUF  by  a  call 
to  SERIAL_DIG_CMDS.RET_CMD_BUF_AND_STATUS.  The  loop  simply  repeats  if  there  are  no  new 
commands.  Eventually,  there  will  be  some  new  commands,  so  the  effect  is  essentially  the 
same  as  if  we  regard  each  call  to  SERIAL_DIG_CMDS .  RET_CMD_BUF_AND_STATUS  as  retrieving 
at  least  one  command.  BUILD  processes  one  command  at  a  time,  i.e.,  per  iteration,  and 
for  practical  purposes  we  can  view  the  incoming  commands  as  an  infinite  stream.  Each 
command  has  four  bytes,  the  first  byte  indicating  the  type  of  command,  and  the  remaining 
three  containing  the  data.  The  commands  supply  raw  data;  the  stream  of  commands  must 
be  parsed  and  the  data  repackaged  into  application  messages  meaningful  to  other  modules 
of  the  tracking  processor.  This  parsing  and  repackaging  process  is  the  function  of  the  BUILD 
task.  BUILD  assembles  incoming  data  in  an  internal  buffer  (the  App_Msg  array),  and  when 
a  complete  message  has  been  constructed,  it  copies  this  into  a  FIFO  queue  of  messages, 
the  App_Msg_Q.  Messages  are  removed  from  the  App_Msg_Q  by  the  task  MANAGE_MSG_RETRIEVAL 
and  passed  to  the  task  PROCESS_MESSAGE. 

In  this  section  we  focus  on  the  message-building  process,  independently  of  the  interrupt- 
driven  command  reception  process  or  the  subsequent  message  retrieval  and  processing.  That 
is,  we  are  concerned  solely  with  the  BUILD  ta.sk.  The  central  aspect  of  this  is  to  show  that  if 
the  input  stream  of  commands  provides  a  correctly  constituted  message,  then  that  message 
is  eventually  assembled  by  BUILD  and  placed  in  the  App_Msg_Q.  There  are  numerous  other 
points  that  would  merit  verification,  e.g.  the  handling  of  erroneous  input,  but  in  this  report 
we  restrict  ourselves  to  verifying  the  basic  functionality  (assuming  error-free  input). 

A  command  has  four  bytes.  The  first  byte  is  a  code  indicating  the  type  of  command. 
Many  op  codes  signify  the  type  of  message  being  initiated,  and  a  few  are  used  to  identify 
the  command  as  a  continuation  command  for  a  previously  initiated  message.  In  the  case 
of  Data_Struc_Load  messages,  the  op  code  of  the  initiating  command  is  1,  while  code  8 
(Data_Load_Cmd)  is  used  for  the  succeeding  commands  in  this  message  type.  Some  types 
of  messages  are  completed  by  only  one  command,  i.e,  they  have  at  most  two  actual  data 
bytes  besides  the  op_code,  and  others  require  several  commands  to  convey  enough  data  for 
a  complete  message.  We  are  here  primarily  interested  in  the  latter  type,  and  in  particular, 
the  Data_Struc_Load  messages.  These  have  op_code  1  and  continuation  code  8,  and  come  in 
many  sizes.  The  second  byte  of  a  Data_Struc_Load  message  contains  information  relating 
to  the  ultimate  disposition  of  the  message,  but  is  not  used  in  the  build  process.  The  third 
byte  of  a  Data_Struc_Load  message  contains  a  messageJd]  associated  with  each  messageJd 
is  a  specific  length  for  the  message. 
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Let  us  consider  the  bytes  of  a  message  as  being  numbered  sequentially.  The  first  command 
for  a  message  contains  bytes  1  through  4,  and  each  succeeding  command  supplies  three  more 
message  bytes  (the  high-order  byte  of  these  four-byte  commands  contains  the  continuation 
code).  The  message  bytes  from  the  commands  are  copied  and  repackaged  into  an  array  of 
words,  which  is  considered  the  message  itself. 

The  code  has  two  tables  of  constants: 

TRKING_DATA_STRUC .  Words_For_Data_Struc,  providing  the  actual  number  of  words  needed 
for  a  message,  and 

Cmds_For_Data_Struc,  providing  the  number  of  commands  required  to  convey  the  mes¬ 
sage. 

The  messageJd  is  the  look-up  index  for  both  tables.  Note  that  each  command  provides 
three  bytes  for  a  message,  each  word  of  a  message  holds  two  bytes,  and  the  first  message 
byte  (the  op.code)  goes  in  the  second  byte  of  the  first  word.  An  n-byte  message  requires 
(n  —  l)/3  commands  and  (n  4-  l)/2  words. 

Most  of  the  work  of  the  build  task  is  accomplished  by  two  procedures,  INITIATE_build  and 
COHTINUE_BUlLD.  INITIATE_BUILD  is  called  when  a  message-initiating  command  is  received. 

It  determines  what  type  of  message  is  to  be  built.  In  some  cases,  the  entire  message  is  avail¬ 
able  from  the  first  command,  so  INITIATE.BUILD  sends  it  directly  to  the  App_Msg_Q.  Other 
types  of  messages  (Data_Struc_Load,  RAM_Mem_Load,  EEPROH_Mem_Load,  Mem_Diimp_X_FraiBes, 
and  Chg_Monitor_Loc)  require  more  than  the  four  bytes  available  in  the  first  command, 
so  IHITIATE_BUIID  sets  the  Build_Iii_Progress  flag  to  true,  and  puts  the  bytes  of  the  first 
command  into  the  App_Msg  intermediate  buffer.  Each  of  the  message  types  involves  its  own 
unique  processing  steps  at  some  point,  but  we  have  decided  to  focus  on  the  Data_Struc_Load 
messages  (data-structure  application  messages)  because  they  are  critical  to  the  mission  and 
their  length  generally  requires  “building,”  so  they  provide  a  good  example  of  the  functioning 
of  most  parts  of  the  BUILD  task. 

CONTIHUE_BUILD  is  called  when  Build_In_Progress  is  true,  and  appends  three  more  bytes  to 
the  message  being  built  in  the  App_Msg  buffer.  In  addition,  if  this  is  the  last  command  with 
data  for  the  current  message,  CONTINUE_BUILD  copies  the  App_Msg  to  the  App_Msg_Q,  and  then 
sets  BUILD  task  global  variables  as  required  to  reset  the  build  process  in  preparation  for  the 
next  message. 

The  following  is  a  summary  of  the  control  flow  for  BUILD: 

Start  at  loop  beginning  with  some  commands  in  Cmd_Buf 
Call  Initiate_Build  to  process  the  first  command: 

Assume  a  Data^truc_Load  message. 

Cont_Cmd  < - Data_Load_Cmd 

Determine  Nuiu_Cmds_For_App_Msg,  and  Num_Words_For_AppJlsg 
via  table  look-up. 
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Copy  bytes  1  through  4  of  the  command  into  App_Msg(2.  .4). 

CmdsJlcvd  < -  1 

Build-In-Progress  < -  True 

While  Cmds-Rcvd  <  Num-Cmds-For-App-Msg  -  1: 

Call  CONTINUE-BUILD  to  add  the  last  three  bytes  of  a 
continuation  command  to  the  message  being  built  in  the 
App-Msg  buffer. 

Call  CONTINUE-BUILD  for  the  last  command  for  this  message,  to 

Add  the  last  three  bytes  to  App-Msg, 

copy  the  completed  application  message  from  App-Msg  to 

the  App-Msg-Q, 

reinitialize  task  globals. 

Many  details  have  been  omitted  from  this  summary,  but  this  is  the  general  idea  of  the  control 
flow.  Our  summary  is  intended  to  convey  only  the  actual  order  of  execution,  not  the  precise 
syntactic  structure  of  the  program.  In  particular,  there  is  no  while-loop  as  shown  in  the 
summary;  instead,  almost  the  entire  task  consists  of  a  single  loop  that  extracts  a  command 
from  the  Cmd-Buf,  then  calls  either  INITIATE-BUILD  or  CONTINUE-BUILD  depending  on  the 
value  of  the  Build-In_Progress  flag.  CONTINUE-BUILD  may  be  called  even  for  a  command 
that  is  not  a  continuation  command;  for  example,  a  No_op_Cmd  may  be  interspersed  at  any 
point  during  the  stream  of  commands  for  some  application  message,  and  C0NTINUE_BUILD 
wiU  write  it  directly  into  the  App-Msg_Q,  but  not  abort  the  build  in  progress. 


6.2.2  Proof  strategy 

As  noted,  SDVS  does  not  currently  support  tasks.  Indeed,  problems  of  interaction  between 
asynchronous  concurrent  tasks  are  generally  intractible,  and  one  should  probably  not  expect 
any  formal  program-verification  system  within  the  current  state  of  the  art  to  deal  with  all 
aspects  of  such  problems.  However,  it  is  certainly  possible  to  formulate  and  prove  meaningful 
statements  about  tasks.  We  shall  outline  a  verification  approach  to  the  BUILD  task. 

BUILD  is  supposed  to  copy  bytes  from  the  Cmd_Buf,  which  are  packaged  as  three  bytes  per 
command,  and  reassemble  them  into  messages,  with  the  completed  message  placed  in  the 
App-Msg-Q.  This  process  is  complicated  by  the  facts  that  the  Cmd-Buf  need  not  contain 
at  any  one  time  a  sufficient  number  of  commands  to  complete  a  particular  message,  and 
that  No-op  commands  may  be  interspersed  with  commands  continuing  some  other  mes¬ 
sage.  We  will  deal  with  the  latter  complication  by  assuming  that  there  are  no  No-op 
commands,  and  with  the  former  by  assuming  that  as  a  result  of  the  call  by  BUILD  to 
SERIAL-DIG-CMDS.RET-CMD-BUF-AND-STATUS,  the  Cmd-Buf  contains  enough  messages  to  com¬ 
plete  a  message.  The  more  general  situations  are  probably  not  intractable  for  SDVS,  but 
they  are  more  than  is  appropriate  for  this  first  attempt  at  verification  of  BUILD. 

Consider  the  beginning  of  the  “for”  loop  in  the  BUILD  task.  A  state  delta  expressing  the 
essence  of  what  this  part  of  BUILD  does  should  express  the  following: 
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Assume  that  control  is  at  the  beginning  of  the  “for”  loop,  that  the  first  command 
in  the  Cmd_Bul,  namely  Cnid_Buf  (1),  is  the  first  command  of  a  Data_Stmc_Load 
message,  and  that  Cmd_CoTint  is  large  enough  that  the  complete  message  is  con¬ 
tained  within  the  commands  in  the  buffer,  i.e., 

.cnid_coimt  ge  .cmds_for_data_stnic[.record(ciid_buf  [1]  ,third_byte)] 

Then  at  a  future  time,  control  will  again  be  at  this  point  and  the  message  will 
have  been  built  and  copied  into  the  App_Msg_Q. 

The  state  delta  would  include  other  information,  such  as  the  new  values  of  variables,  and 
the  “future  time”  would  be  precisely  specified.® 

Some  changes  in  the  program  syntax  are  necessary  to  accomodate  SDVS  and  what  we  want 
to  do.  In  the  first  place,  SDVS  does  not  handle  tasks,  so  the  BUILD  task  must  be  converted  to 
a  procedure.  Secondly,  we  are  interested  in  proving  something  about  an  internal  fragment 
of  BUILD,  the  “for”  loop,  so  we  must  find  a  way  to  facilitate  this  within  the  requirements 
of  SDVS.  Enhancements  of  SDVS  to  permit  proving  lemmas  about  fragments  of  code  are 
under  consideration,  but  not  yet  in  place.  However,  SDVS  does  have  the  ability  to  prove 
adalemmas  about  procedures.  Any  fragment  of  code  which  is  a  sequence  of  executable 
statements  can  be  converted  to  a  procedure  call  by  the  following  artifice:  Given  a  fragment 
of  code 

— start  of  code  fragsent 


— End  of  code  fragment 


replace  it  by 


DECLARE 

PROCEDURE  Fragment  IS 
BEGIN 


— Start  of  code  fragment 


®A  more  elaborate  treatment  could  drop  the  assumption  that  all  the  necessary  commands  were  in  the 
Cmd_Buf ,  and  would  consider  conditions  at  the  beginning  of  the  outer  main  loop,  instead  of  the  inner  “for” 
loop.  In  the  actual  implementation,  commands  are  obtained  asynchronously  using  hardware  interrupts.  Our 
test  programs  replace  this  by  a  simple  call  to  “get,”  so  the  pending  commands  can  be  referred  to  as  in  the 
stdin  array.  Then  the  action  of  the  routine  SERIALJ)IG_CMDS .  RET_CMD^UF_AND_STATUS  would  be  described 
as  simply  returning  one  or  more  commands  from  the  input  stream.  Although  all  this  seems  feasible  and  not 
inordinately  complicated,  we  believe  the  simpler  form  chosen  above  to  be  satisfactory  for  a  first  step. 
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— End  of  code  fragment 


BEGIN 


END  Fragment ; 


Fragment ; 

END; 


The  result  is  essentially  equivalent  to  the  original  code/  Whatever  one  may  have  wanted 
to  prove  about  the  original  code  fragment  may  now  be  formulated  as  an  adalemma  about 
the  procedure  Fragment.  This  adalemma  can  then  be  used  in  proofs  about  larger,  enclosing 
procedures. 

In  the  present  case,  we  propose  to  prove  a  suitable  adalemma  for  the  “for”  loop  that  is  part 
of  the  BUILD  procedure.  Such  an  adalemma  could  then  be  used  as  an  aid  in  proving  other 
adalemmas  about  larger  parts  of  BUILD.® 

The  main  elements  of  the  “for”  loop  are  calls  to  INITIATE.BUILD  and  continue.build.  Our 
first  steps  are  therefore  to  develop  and  prove  adalemmas  for  these  two  procedures. 

At  the  time  of  this  writing,  the  proofs  for  the  two  procedures  are  complete,  but  the 
adalemma  and  proof  for  the  for-loop  are  stiU  under  development.  Also,  we  have  constructed 
proofs  only  for  a  version  of  the  MSX  code  in  which  the  checksum  loop  in  the  Continue_Build 
procedure  has  been  excised;  the  code  is  modified  so  that  the  test  for  the  correct  checksum 
is  always  passed.  This  has  been  done  only  because  of  lack  of  time  to  complete  the  work. 


6.3  The  INITIATE_BUILD  adalemma 

The  INITIATE_BUILD  procedure  implements  the  first  step  in  message  processing.  It  examines 
the  type  of  incoming  messages,  which  (after  elimination  of  a  parity  bit  by  the  calling  program 
build)  is  contained  in  the  first  byte  of  the  first  command  for  a  message.  In  several  cases,  cill 
of  the  message  is  communicated  by  the  first  command,  so  INITIATE_BUILD  places  the  message 
into  the  App_Msg_Q  directly.  Various  error  conditions  are  also  handled  by  INITIATE_BUILD. 
Here,  we  concern  ourselves  only  with  the  Data_Struc_Load  messages,  which  do  require  more 
than  one  command  and  thus  at  least  one  call  of  COKTINUE.BUILD.  The  part  of  INITIATE_BUILD 
of  interest  is 


procediure  INITIATE_BUILD  (Start_Op_Code  :  in  GLOB AL_TYPES. BYTE; 

^we  would  like  to  say  “semantically  equivalent,”  but  Ada  itself  lacks  the  formal  semantics  that  would  be 
needed  to  formally  establish  semantic  equivalence. 

®  However,  the  adalemma  could  only  be  used  in  the  context  of  the  modified  version  of  BUILD,  in  which  the 
“for”  loop  has  been  transformed  to  a  procedure  call.  Eventually,  enhancements  to  SDVS  allowing  adalemmas 
about  arbitrary  code  fragments  will  obviate  the  need  for  this  roundabout  procedure. 
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TeMp_¥ord 
High_By t  e_Vor d 
Low_Byte_Word 
Dat  a_Struc_ID_F  ound 
Start _Build 
Struc_ID_Inder 
X 
Y 


CMd_Buf_Index  :  in  INTEGER)  is 
:  GLDBAL_TYPES.WQRD; 

:  GLDBAL_TYPES.WORD; 

:  GLOBAL_TYPES.WORD; 

:  BOOLEAN; 

:  BOOLEAN; 

:  INTEGER; 

:  INTEGER; 

:  INTEGER; 


begin 

Start _Build  :=  False; 
case  Start _Op_Code  is 
when  Data_Struc_Load  => 

Data_Stnic_ID_Found  :=  False; 

Stmc_ID_Index  :  = 

COHV_BYTE_TO_INTEGER(CBd_Buf (CBd_Buf .Index) .Third_Byte) ; 
ii  (Struc_ID_Index  <=  TRKING_DATA_STRUC .Num.Data.Struc)  and 
(Struc_ID_Index  >  0)  then 
Cont.Cmd  :=  Data.Load.Cnd; 

Nu*_Cmds_For_App_Msg  :=  C]iids_For_Data_Strtic(Struc_ID_Index) ; 
Nu»_Words_For_App_Msg  :=  TRKING_DATA_STRUC. Words _For_Data_Struc( 

Struc_ID_Index)  +  1 


if  (Him_Cmds_For_App_Msg  /=  0)  then 
Data_Struc_ID_Fotm.d  :=  True; 

Start .Build  :=  True; 
end  if; 
end  if; 

if  (Dat a.Struc.ID.F ound  =  False)  then 


end  if ; 

when  RAM.Mea.Load  I  EEPROM.Mem.Load  => 


end  case; 

if  Start .Build  then 
App.Msg(l)  :=  0; 

App.Msg(2)  C0NV_BYTE_T0.WDRD(Start_0p.Code) ; 


Temp.word 
High.Byte.Word 
Temp.Word 
App.HsgO) 

TeMp.word 
App.Msg(4) 

Start  ing.Cmd.Vith.Par 
Cmds.Rcvd  1; 
Word.Cntr 
Build.In.Progress 
Start.Build 
end  if; 

end  INITIATE_BUILD; 


CONV.BYTE.TO_WaRD(CBd_Buf(Cmd_buf. index) .Second.Byte) ; 
SHIFT.LOGICAL.WORD (Temp.word,  8); 

C0NV.BYTE.T0.W0RD(Cmd.Buf (Cmd.buf. index) .Thixd.Byte) ; 
0R_W0RD(High_Byte_Word,  Temp.Word) ; 

C0NV.BYTE.T0.WDRD(Cmd.Buf (Cmd.buf. index) .Fourth.Byte) ; 
SHIFT.LOGICAL.WORD (Temp.word,  8); 

Cmd.Buf( Cmd.buf.  index) .First.Byte; 


=  4; 

=  True; 

=  False; 
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What  this  code  does  is  straightforward:  After  determining  that  the  message  is  a  Data_struc_Load, 
it  sets  Cont_Cind  to  Data_Load_Cnid,  and  determines  the  numbers  of  commands  and  words  re¬ 
quired  for  the  incoming  message,  using  look-up  tables  based  on  the  message  id — this  is  kept 
in  Struc_ID_Index  and  is  obtained  from  the  third  byte  of  the  first  command.  After  some  va¬ 
lidity  checking,  control  passes  to  the  if  statement  at  the  end  of  the  procedure,  start _Build 
has  been  set  to  True  by  any  part  of  the  case  statement  processing  a  message  that  will  in¬ 
volve  additional  commands,  and  thus  must  be  “built.”  Through  a  sequence  of  conversions, 
bit-wise  logical  shifts,  and  logical-OR  operations,  the  original  four  bytes  of  the  command  end 
up  repackaged  in  words  2  through  4  of  the  App_Msg  array.  Word  1  of  App_Msg  is  left  zero; 
it  is  not  involved  in  the  processing  of  a  Data_Struc_Load  message  and  will  ultimately  be 
ignored  by  CONTINUE_BUILD. 

We  shall  now  discuss  the  corresponding  adalemma  for  the  Data_Struc_Load-message  pro¬ 
cessing  parts  of  INITIATE.BUILD.  This  adalemma  and  its  proof,  as  saved  by  SDVS  are: 

(def adalemma  iiiitiate_build .  data_struc_load .  adalemma 

"msx_program_f inal_version_sans_checksum. a"  initiate_build 

msr_program_f  inal_Tersion_ScUis_checks'um .  app_msgs .  initiate.build 
(" .start_op_code  =  .data_struc_load" 

"  ~ .  build_iii_progress  " 

"  •  apP-.®sgs .  cmd_st  atus_buf  [ .  init  iate_build .  cmd.buf  _iiidex]  =  .  cmd_ok  " 

"is .byte( . start_op_code) " 

"is . cmd_bytes_type ( . app_msgs . cmd_buf [. initiate_build. cmd_buf .index] ) " 
"origin(app_msgs.cmd_buf)  le  .initiate_build.cmd_buf .index" 

" . initiate.build. cmd.buf .index 
le  (origin(app.msgs. cmd.buf)  +  rangeCapp.msgs. cmd.buf))  -  1" 

"0  It  .recordCapp.msgs. cmd.buf [. initiate.build. cmd_buf. index] .tbird.byte)" 

" .recordCapp.msgs . cmd.buf  [. initiate.build. cmd.buf .index] .tbird.byte) 
le  .num.data.struc" 

" . cmds.f or.data.struc 

[. recordCapp.msgs. cmd.buf [. initiate.build. cmd.buf. index] .tbird.byte)]  "=  0") 

Ccont.cmd 

num. cmds.f  or .app.msg 
num.words.for.app.msg 

Celement  app.msgs.cmd. status.birf  Cdot  initiate.build. cmd.buf. index)) 

Cslice  app.msg  1  4) 

st  art ing.cmd.witb.par 

cmds.rcvd 

word.cntr 

build. in.pr ogress) 

C'forall  q  CoriginCapp.msg)  le  q  &  q  le  #word.cntr  — >  is .word C .app.msg [q] )) " 

"#cont.cmd  =  .data.load.cmd" 

"#num.cmds.f or.app.msg 

=  .cmds.for.data.strucf. recordCapp.msgs. cmd.buf [.initiate.build. cmd.buf. index] . 

tbird.byte)]" 

"#num.words.f or.app.msg 

=  .words.f or .data.struc [.recordCapp.msgs . cmd.buf [ .  initiate.build. cmd.buf .index] , 

tbird.byte)]  +  1" 

"#build.in.pr ogress  =  true" 

"#app.msg[l]  =  0" 

"#app.msg[2]  =  .start.op.code" 


39 


"liigh.byte(#app_*sg[3]  , 

.record(app_msgs.cMd_bu± [. in.itiate_buil<i.cmd_buf _lndex]  ,  second_byte)) " 
"low.byte(#app_iisg[3]  , 

. record(app_iisgs .  cmd_buf  [ .  init iate_build .  cmd_buf  _index]  ,  third_byte) )  ” 
"high.byte(#app_msg[4]  , 

. record(app_msgs .  cmd_buf  [ . initiate.build . c*d_buf _index]  ,  f  oiirth_byt e) )  " 
"low.byte(#app_iisg[4]  ,0)" 

"#st  art  ijig_ciid_¥ith_par 

=  .record(app_msgs . CMd_bul [. initiate_build. cmd_buf .index] .first .byte) " 

"#c*ds.rcvd  =  1" 

"#¥ord.ciitr  =  4") 

: proof 

"  (proveadalenma  initiate_build.data.struc.load.  adalema 
proof : 

(readaxioMs  \"/u/versys/sd¥s/axioas/ain:aycoverings .  axiomsN" , 
provebyaxion  pcoveringCapp.iisgCl  :4]  ,app_msg[l]) 
using:  pcoveringXsliceXelenent , 
provebyaxion  pcovering(app_msg[l :4] ,app_BSg[2]) 
using:  pcovering\slice\element , 
proTebyaxiom  pcoTeriag(app_Bisg[l :4]  ,app_Bsg[3]) 
using:  pcovering\slice\element , 
proTrebyaxion  pcoveringCapp.iisgCl :4]  ,app_nsg[4]) 
using:  pcovering\slice\eleiient , 
applydecls , 

go 

#Msx_program_final_version_sans_checksum\pc 

=  at (msx_prograM_final_version_sans_clieclcsuii.intrinsic_functions.sh.ift_logical_¥ord)  , 
invokeadaleima  sbif t.logical.word. adalemma, 

go 

#iisx_prograii_final_version_sans_checksum\pc 

=  at (nsx.progran.f inal.version.sans.checksum. intrinsic.functions . or.word) , 
invokeadaleima  or.word . adalemma , 

go 

#msx_prograM_final_version_sans_checksuii\pc 

=  at (msx.progran.f inal.version.sans.checksum. intrinsic.f unctions. sbift.logical.word) , 
invokeadaleima  shif t.logical.vord. adalemma, 

go 

#msx_program_final_version_sans_checksum\pc 

=  exitedCmsx.program.f inal.version.sans.checksum. app.msgs. init iate.build) , 
notice  forall  q  (q  le  4  — >  q  =  4  or  q  le  3) , 

notice  forall  q  (q  le  3  — >  q  =  3  or  q  le  2) , 

notice  forall  q  (q  le  2  — >  q  =  2  or  q  le  1) , 

notice  forall  q  is.wordC.app.msgCl]) , 

notice  forall  q  is . wordC .app_BSg[2] ) , 

notice  forall  q  is .  wordC  .app_iisg[3]  )  , 

notice  forall  q  is  .wordC  .app_msg[4]  )  , 

provebygeneralization  gCl) 

using:  CqCl) ,qC2) ,qC3) ,qC4) ,qC5) ,qC6) ,qC7)) , 
close) ) ") 


We  shall  discuss  the  various  parts  of  the  adalemma  and  its  proof.  The  first  group  of  quoted 
lines  are  the  precondition,  those  facts  which  must  be  true  in  order  that  the  adalemma  may 
be  applied.  In  general,  these  assertions  reconstruct  the  environment  within  which  the  target 
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procedure  is  called.  For  example,  INITIATE_BUILD  is  called  only  when  Build_In_Progress 
is  False,  SO  the  precondition  asserts  that  fact.  When  SDVS  sets  up  the  environment  for 
proving  the  adalemma,  the  preconditions  are  asserted  (as  in  the  proof  of  any  state  delta). 

The  Precondition: 


" .start _op_code  =  .data_struc_load" 

.build,  iii_progress" 

"  .app_msgs  .cnid_status_buf  [.  initiate_build.cmd_buf  _index]  =  .cind_ok" 

" is . byt  e ( . St  art  _op_code ) " 

"is .  cmd_bytes_type  ( .  app.asgs .  cmd.buf  [ .  in.itiate_build.  cmd_buf_  index]  )  " 

"origin (app_i!isgs.ciiid_buf)  le  . initiate_build.ciad_buf_index" 

" . initiate_build. cmd_buf_index  le 

(origin (app_msgs.cmd_buf)  +  range (app_iiisgs.cmd_buf))  -  1" 

"0  It  .record(app_msgs.cmd_buf  [.initiate_build.cmd_buf_index]  ,th.ird_byte)" 

" .record(app_msgs . cmd_buf [. initiate_build.cmd_buf _index] ,third_byte)  le 
. num_data_struc" 

" .  cmds_f  or_data_st2ruc  [ 

.record(app_iiisgs.cmd_buf  [.initiate_build.cmd_buf_index]  ,third_byte)]  "=  0") 


All  of  the  assertions  are  either  facts  which  are  true  in  the  environment  in  which  INITIATE_BUILD 
is  called,  or  which  restrict  applicability  to  the  case  of  interest  (i.e.,  the  Data_Struc_Load  mes¬ 
sages),  and  which  are  actually  necessary  for  the  proof.  The  last  three  of  the  preconditions, 
referring  to  the  third  byte  of  the  command  for  which  INITIATE.BUILD  is  called,  assert  the 
legitimacy  of  this  value  as  a  message  id,  and  that  the  corresponding  message  length  is  not 
0. 

The  following  mod  list  is  a  list  of  places  which  are  altered  by  INITIATE_BUILD. 

The  Mod  List: 

cont_cmd, 

num_cjnds_f  or_app_insg , 
nuiri_¥ords_f  or_app_insg , 

app_msgs .  cind_stat\is_buf  [ .  initiate_build.  cind_buf_ index]  , 
app_iiisg[l:4]  , 

St  art  ing_cand_with_par , 
cmds_rcTd , 
sord_cntr , 
build_in_progress 

The  proof  for  the  INITIATE_BUILD  adalemma  is  short  enough  that  we  can  discuss  it  at  this 
point. 

The  Proof: 


proveadalemma  initiate_build.data_struc_load. adalemma 
proof : 

(readaxioms  \"/u/versys/sdvs/axioms/arxaycoverings.axioms\" , 
provebyaxiom  pcovering(app_msg[l :4] ,app_msg[l]) 


41 


using:  pcovering\slice\eleiieiit , 
provebyaxioM  pcovering(app_msg[l :4] ,app_Bsg[2]) 
using:  pcovering\slice\eleMent, 
provebyaxioM  pcovering(app_aisg[l :4]  ,app_msg[3]) 
using:  pcoTering\slice\element , 
provebyaxiom  pcovering(app_msg[l :4] ,app_msg[4]) 
using:  pcovering\slice\eleBent , 
applydecls, 
go 

#Bsx_prograM_final_version_sans_checksum\pc 

=  at  (iisx_prograiB_f  inal_version_sans_checksum.  intrinsic_f unctions . sh.if t_logical_iiord)  , 
invokeadalemma  shilt_logical_Hord. adalenuna, 

go 

#msi_prograiii_linal_version_sans_checksum\pc 

=  at  (msx_program_f  inal_version_sans_checksujn.  intrinsic_functions . or_Bord)  , 
invokeadalema  or_word .  adalemma , 

go 

#msx_prograffl_final_version_sans_checksum\pc 

=  at (msx_program_f inal_version_sans_checksum. intrinsic_functions . shif t_logical_Hord) , 
invokeadaleua  shif t_logical_word .  adalemma , 

go 

#iiisi_prograni_f  inal_version_sans_checksum\pc 

=  exited (msx_program_f inal_Tersion_sans_checksum . app_msgs . init iate_build) , 
notice  forall  q  (q  le  4  — >  q  =  4  or  q  le  3) , 

notice  forall  q  (q  le  3  — >  q  =  3  or  q  le  2) , 

notice  forall  q  (q  le  2  — >  q  =  2  or  q  le  1) , 

notice  forall  q  is.BordC  .app_sisg[l]  )  , 

notice  forall  q  is.wordC  .app_iESg[2]  )  , 

notice  forall  q  is.word(.app_iisg[3]) , 
notice  forall  q  is.word( .app_msg[4] ) , 
provebygeneralization  g(l) 

using:  (q(l) ,q(2) ,q(3) ,q(4) ,q(5) ,q(6) ,q(7)) , 
close) 


The  provebyaxiom  commands  at  the  beginning  establish  that  array  places  actually  changed 
during  symbolic  execution  are  covered  by  the  mod  list  of  the  adalemma.  Each  call  to 
an  intrinsic  function  is  handled  by  an  adalemma.  The  series  of  notices  at  the  end  are 
connected  with  a  familiar  problem:  the  simplifier  automatically  has  available  that  n  < 
m  n  =  mVn<m— 1,  but  must  be  guided  to  extend  this  further  to  such  facts  as 
n  <  m  n  =  m\/n  =  m  —  lWn  =  m  —  2Vn<m-3. 


6.4  The  CONTINUE_BUILD  adalemmas 

6.4.1  Overview 

The  CONTINUE_BUILD  procedure  is  called  to  handle  continuation  commands,  i.e.,  commands 
containing  parts  of  a  message  for  which  a  build  is  in  progress.  Since  we  are  considering 
only  Data_Struc_Load  messages,  we  will  consider  only  the  handling  of  Data_Load_Cmds  by 
CONTINUE_BUILD;  Data_Load_Cmd  is  the  value  set  in  Cont_Cmdby  INITIATE.BUIID  when  it  starts 
the  build  of  a  Data_Strac_Load  message.  The  parts  of  CONTIHUE_BUILD  of  interest  to  us  are 
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the  following: 


procediire  CONTINUE_BtJILD(Cont_Op_Code  :  in  GLOB AL_TYPES .BYTE; 

Ciad_Buf_Inde2  :  in  INTEGER)  is 
App_Hsg_ Checksum  :  GLOBAL.TYPES.WORD; 

App_Hsg_Start_Word  :  INTEGER; 

Msg_Word_Index  :  INTEGER; 

Q_Word_Index  :  INTEGER; 

Temp_¥ord  :  GLOB AL.TYPES. WORD; 

High_Byte_Word  ;  GLOB AL_TYPES -WORD; 

Lo¥_Byte_Word  :  GLOB AL.TYPES. WORD; 

begin 

if  Cont_Op_Code  =  Cont_Cmd  then 
if  (CiBds_Rcvd  mod  2)  =  0  then 
Word_Cntr  :=  Word_Cntr  +1; 

Temp_Word  : =  CONV_BYTE_TO_WORD (Cmd.Buf (Cmd.Buf _Indei) . Second.Byte) ; 

High_Byte_Word  :=  SHIFT_LDGICAL_WORD(Temp_Word.  8); 

Low_Byte_Word  ;=  CONV_BYTE_TO_WORD(Cmd_Buf (Cmd_Buf_Indei) .Thixd_Byte) ; 
App_Msg(Word_Cntr)  :=  OR_WORD(High_Byte_Word,  LoB_Byte_Word) ; 

Word_Cntr  :=  Word_Cntr  +  1; 

Temp_Word  :=  CONV_BYTE_TO_WORD(Cmd_Buf (Cmd_Buf_Indei) .Fourth_Byte) ; 
App_Msg(Word_Cntr)  :=  SHIFT_LDGICAL_WORD(Temp_Word,  8); 
else 

Low_Byte_Word  :=  CONV_BYTE_TO_WORD(Cmd_Buf (Cmd_Buf_Index) .Second_Byte) ; 
App_Msg(Word_Cntr)  :=  OR_WORD(App_Msg(Word_Cntr) ,  Low_Byte_Word) ; 
Word.Cntr  :=  Word_Cntr  +  1; 

Temp.Word  :=  CONV.BYTE_TO_¥ORD(Cmd_Buf (Cmd_Buf_Index) .Third_Byte) ; 
High_Byte_¥ord  :=  SHIFT_LOGICAL_¥aRD(Temp_¥ord,  8); 

Low_Byte_¥ord  :=  CONV_BYTE_TO_¥ORD(Cmd_Buf(Cmd_Buf .Index) .Fourth.Byte) ; 
App_Msg(¥ord_Cntr)  :=  OR_¥ORD(High_Byte_¥ord,  Lo¥_Byte_¥ord) ; 
end  if; 

Cmds.Rcvd  :=  Cmds.Rcvd  +  1; 
if  Cmds.Rcvd  =  Num_Cmds_For_App_Msg  then 
App_Msg_Checksum  :=  0; 

App_Hsg_Checksum  :=  App_Msg(Num_¥ords_For_App_Msg  +  1); 
if  App_Msg_ Checksum  =  App_Msg(Num_¥ords_For_App_Hsg  +1)  then 
if  App_Msg_Counter  <  App_Msg_Q_Size  then 
App_Hsg_Start_¥ord  :=  2; 

if  (C0NV_¥0RD_T0_BYTE(App_Msg(2))  =  RAM_Hem_Load)  or 
(C0NV_¥0RD_T0_BYTE(App_Msg(2))  =  EEPR0M_Mem_Load)  or 
(C0NV_¥0RD_T0_BYTE(App_Msg(2))  =  Mem_Dump_X_Frames)  then 


end  if ; 

Q.Tail  :=  (Q.Tail  mod  App_Msg_q_Size)  +  1; 

Nm_¥ords_For_App_Hsg  :=  Num_¥ords_For_App_Msg  +  1; 

Q_¥ord_Index  :=  0; 

for  Msg_¥ord_Index  in  App_Msg_ Start _¥ord. .Num_¥ords_For_App_Msg  loop 
Q_¥ord_Index  :=  Q_¥ord_Index  +  1; 

App_Msg_Q(Q_Tail) (Q_¥ord_Index)  :=  App.Msg (Hsg_¥ord_Index) ; 
end  loop; 

App_Msg_Q(Q_Tail) (CMDS.TYPES .App_Ksg_Max)  :=  Q_¥ord_Index; 
App_Msg_Counter  :=  App_Msg_Counter  +  1; 
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if  App_Msg_Start_Word  =  1  then 
null; 

else 

Temp.Word  :=  SHIFT_L0GICAL_W0RD(App_Msg(3) ,  -8); 
end  if ; 

Temp.Word  :=  SHIFT_LaGICAL_W0RD(App_Msg(4) ,  -8); 
else 


end  if; 
else 


end  if ; 

Build_In_Progress  :=  False; 
end  if ; 
else 


end  if; 

end  CQNTIiraE_BUILD; 

There  are  two  adalemmas  for  C0NTINUE_BUILD;  one  handles  the  case  where  the  command 
to  be  processed  is  not  the  last  command  for  the  message  being  built,  and  the  other  is  for 
the  case  where  the  current  command  is  the  last  one.  When  the  last  command  is  processed, 
COKTINUE_BUILD  copies  the  completed  message  into  the  App_Msg_Q.  It  is  true  that  the  two 
adalemmas  could  be  combined,  because  all  the  functions  performed  in  the  “not  last”  case  are 
also  performed  in  the  “last”  case;  one  would  add  the  additional  facts  to  the  postcondition  in 
the  form  of  conditional  assertions  based  on  whether  #Cmds_Rcvd  =  .Nuin_CBids_For_App_Msg. 
However,  this  complicates  the  exposition  somewhat,  and  we  prefer  to  use  separate  adalem¬ 
mas.  We  win  first  discuss  the  adalemma  for  the  “not  last”  case. 


6.4.2  The  “not  last”  command  case 

(def adalemma  cent inue_build . data_load_cmd . not . last . adalemma 
"msx_progr am_f inal_ vers ion_sans_checksum . a" 
cont inue  _build 

msr_program_f inal_version_sans_checksum . app_msgs . continue_build 
(" .build_in_progress" 

" •app_msgs.cmd_status_buf [.cont inue _build.cmd_buf_index]  =  . cmd_ok" 
"  is  .b3rte  ( .  start  ing_cmd_with_par)  " 

" is . byt  e ( . cont  _cmd) " 

"is.b3rte( .  cont_op_code)  " 

" . cont_cmd  =  . data_load_cmd" 

"  .cont_op_code  =  .cont_cmd'' 
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"lie  . cinds_rcTd" 

"  .  cmds_rcvd  It  .nujn_cmds_for_app_iiisg  -  1" 

".cnids_rcvd  mod  2  =  .cmds.rcvd  -  (.cmds_rcTd  /  2)  *  2" 

".cmds_rcvd  mod  2  =  0  or  .cmds_rcvd  mod  2=1" 

".cmds_rcvd  mod  2  =  1  — >  lon.byte(.app_msg[.oord_ciitr]  ,0)" 

"4  le  . word_cntr" 

".¥ord_ciitr  le  78" 

"is . cmd_bytes_type ( . app_msgs . cmd_buf [. continue _build. cmd_buf_ index] ) " 

"origin (app_msgs.cmd_buf)  le  .continue_build.cmd_buf_indei" 

" . continue _build. cmd_buf_index 

le  (origin(app_msgs.cmd_buf)  +  range(app_msgs.cmd_buf))  -  1" 

"forall  q  (origin (app_msg)  le  q  &  q  le  .word_cntr  — >  is.oordC .app_msg[q]) ) " 

) 

(word_cntr 

(element  app_msg  (minus  (plus  (dot  word_cntr)  1)  (mod  (dot  cmds_rcvd)  2))) 
(element  app_msg  (minus  (plus  (dot  ¥ord_cntr)  2)  (mod  (dot  cmds_rcTd)  2))) 
cmds_rcvd) 

("forall  q  (origin(app_msg)  le  q  &  q  le  #¥ord_cntr  — >  is .¥ord( .app_msg[q]))" 
"#Bord_cntr  =  (.¥ord_cntr  +  2)  -  .cmds_rcvd  mod  2" 

"#cmds_rcTd  =  .cmds_rcvd  +1" 

".cmds_rcTd  mod  2=0  — >  #Bord_cntr  =  .word_cntr  +  2" 

" . cmds_rcvd  mod  2=0 

— >  high.byte(#app_msg[.word_cntr  +  1], 

. record  (app_msgs , cmd_buf  [ . continue_build . cmd_buf _index] , 
second_byte))" 

",cmds_rcTd  mod  2=0 

— >  low. byte (#app_msg[.word_cntr  +  1], 

, record (app_msgs . cmd_buf [ . cont inue_build . cmd_buf_ index] , 

third_byte))  " 

" . cmds.rcvd  mod  2=0 

— >  high.byte(#app_msg[.¥ord_cntr  +  2], 

. record (app_msgs , cmd_buf [ . cont inue_build . cmd_bu±_ index] , 
f  otrrth_byte))" 

".cmds_rcvd  mod  2=0  — >  lo¥.byte(#app_msg[.¥ord_cntr  +  2],0)" 

".cmds_rcvd  mod  2=1  — >  #¥ord_cntr  =  .¥ord_cntr  +  1" 

" . cmds_rcvd  mod  2=1 

— >  high.byte(#app_msg[.¥ord_cntr] , .app_msg[.¥ord_cntr]  /  256)" 

".cmds_rcvd  mod  2=1 

— >  lo¥.byte(#app_msg[.¥ord_cntr] , 

. record (app_msgs . cmd_buf [.continue_build. cmd_buf_index] , 
second.byte) ) " 

" . cmds_rcvd  mod  2=1 

— >  high.byte(#app_msg[.¥ord_cntr  +  1], 

. record (app_msgs . cmd_bul [ . cont  inue_build . cmd_bu±  _index] , 
tbird_byte) ) " 

" . cmds_rcvd  mod  2=1 

— >  lo¥.byte(#app_msg[.¥ord_cntr  +  1], 

. record (app_msgs . cmd_buf [ . continue_build . cmd_buf _index] , 
f  ourth_byt  e) ) " ) ) 
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We  shall  discuss  the  various  parts  of  this  adalemma. 
First  consider  the  following  precondition: 


" .build_in_progress" 

"  .app_msgs.cHid_status_biif  [.contiriue_build.cB!d_buf_index]  =  .CBd_ok" 

"  is .  byt  e  ( .  start  ing_ciid_Tiith_par  )  " 

" is . byt e ( . cont_CMd) " 

"is.byte(.con.t_op_code) " 

" .  cont_ciiid  =  .data_load_c*d" 

".cont_op_code  =  .cont_cmd" 

"lie  . CBids_rcvd" 

".cmds_rcvd  It  .num_ciiids_for_app_msg  -  1" 

".CBds_rcvd  mod  2  =  .cmds_rcTd  -  (.cmds_rcvd  /  2)  *  2" 

".cmds_rcvd  mod  2  =  0  or  .cmds_rcvd  mod  2=1" 

"  . cmds.rcvd  mod  2  =  1  — >  low. byte (. app_msg [. word_ciitr]  ,0)" 

"4  le  .word_cntr" 

".word.cntr  le  78" 

" is . cmd_bytes_type ( . app_msgs . cmd_buf [. continue_build . cmd_buf_ index] ) " 

" origin (app_msgs.cBd_buf)  le  . continue _build. cmd.buf .index" 

" . continue.build. cmd.buf .index 

le  (origin(app.msgs.cBd.buf)  +  range(app_msgs.cmd.buf))  -  1" 

"forall  q  (origin (app.msg)  le  q  &  q  le  .word.cntr  — >  is.word(.app_msg[q]))" 


The  first  group  of  assertions  set  the  environment  within  which  CONTINUE.BUILD  might  be 
called,  and  the  circumstances  under  which  this  adalemma  is  to  be  applied.  There  are 
two  assertions  giving  properties  of  the  mod  function — of  course,  these  are  mathematically 
provable  facts,  but  they  are  not  automatically  known  to  the  simplifier,  so  we  have  put  them 
into  the  precondition  of  the  adalemma.  The  user  wiU  be  responsible  for  proving  these  before 
the  adalemma  is  applied.  This  is  important,  because  the  expression  .  cmds.rcvd  mod  2  is 
used  in  the  mod  list  of  this  adalemma,  and  the  correct  covering  properties  will  not  be 
known  to  the  covering  solver  unless  the  possible  values  of  this  expression  are  known.  The 
assertion  about  .app.msg [.word.cntr]  is  that  if  an  odd  number  of  commands  have  been 
received,  then  the  low  byte  of  the  last  word  in  the  current  message  is  0.  The  next  group  of 
assertions  guarantee  that  various  array  indices  are  in  range.  The  last  assertion  states  that 
everything  in  the  .app.msg  array  is  a  “word,”  i.e.,  is  an  integer  in  the  range  0  ...  65535. 
SDVS  has  the  built-in  type  integer  but  the  simplifier  does  not  handle  subtypes;  to  deal 
with  this  situation,  the  SDVS  Ada  translator  places  guard  conditions  on  its  translations  of 
assignment  statements  for  variables  declared  of  a  given  subtype,  to  insure  that  the  value 
assigned  is  actually  in  the  subtype.  If  a  variable  V  is  declared  as  a  word,  then  the  translator 
output  requires  that  any  quantities  to  be  assigned  to  V  must  be  in  the  range  0  ...  65535. 
Since  members  of  the  App.Msg  array  are  later  used  in  assignments  to  other  words,  the 
information  that  App.Msg  consists  of  words  must  be  available.  Indeed,  there  is  such  a  step 
even  within  the  code  for  CONTINUE.BUILD.  Hence,  the  quantified  statement  must  be  part 
of  the  precondition  to  CONTINUE.BUILD,  not  merely  proved  after  its  invocation.  A  similar 
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statement,  with  an  appropriately  enlarged  range  of  subscripts  for  .app_msg,  is  part  of  the 
postcondition. 

Next  consider  the  following  mod  list  (in  input  notation): 


word_ciitr , 

app_nisg[.word_cntr+l-(.cmds_rcTd  mod  2)], 
app_msg[.¥ord_cntr+2-(.cmds_rcvd  mod  2)], 
cmds.rcvd 


These  are  simply  a  list  of  the  places  which  are  modified  by  CONTINUE_BUILD  when  called  on  a 
command  which  is  not  a  “last”  command.  As  it  happens,  we  were  able  to  write  expressions 
for  the  array  subscripts  which  work  out  correctly  whether  or  not  .cmds_rcvd  is  odd  or 
even — were  this  not  so,  we  should  have  been  obliged  to  prove  two  separate  adalemmas,  one 
for  each  of  these  cases. 

The  postcondition  is  examined  in  several  parts: 


"forall  q  ( origin (app_msg)  le  q  &  q  le  #sord_cntr  — >  is.¥ord(.app_msg[q]))" 

"#Bord_cntr  =  (.¥ord_cntr  +  2)  -  .cmds_rcvd  mod  2" 

"#cmds_rcTd  =  .cmds_rcvd  +1" 

".cmds.rcvd  mod  2=0  — >  #word_cntr  =  .word_cntr  +  2" 

The  quantified  statement  above  asserts,  as  promised,  that  app.msg  is  an  array  of  words. 
Then  the  new  values  of  word_ciitr  and  cmds_rcvd  are  asserted. 

" . cmds_rcTd  mod  2=0 

— >  higli.byte(#app_msg[.¥ord_ciitr  +  1], 

. record (app _msgs. cmd_buf  [.continue_build. cmd_buf_iiider!] , 
second_byte) )" 

" . cmds_rcvd  mod  2=0 

— >  low. byte (#app_msg[.word_cntr  +  1], 

. record (app_msgs . cmd_buf [ . continue_build. cmd_buf -index] , 
third-byte))" 

" . cmds-rcvd  mod  2=0 

— >  high. byte(#app-msg[. word- cntr  +  2], 

.record(app-msgs.cmd-buf [.continue-build.cmd-buf-index] , 
fourth-byte) ) " 

".cmdS-rcvd  mod  2=0  — >  low.byte(#app-msg[.word-cntr  +  2],0)" 


This  group  of  assertions  applies  when  .  cmds_rcvd  is  initially  even.  In  that  case,  the  three 
bytes  of  the  current  command  are  stored  into  the  two  bytes  of  the  next  available  word  in 
app_msg  and  the  high  byte  of  the  word  after  that. 

It  is  appropriate  at  this  point  to  look  at  the  definitions  of  the  macros  high. byte  and 
low. byte.  They  are 


(defmacroo  high.b]rte  ; extra  facts  here  because  this  is  used  in  postconditions 

"0  le  X  &  X  le  65535  ft  y  =  x  /  256  ft  0  le  y  ft  y  le  255  ft 
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X  =  y  •  256  +  X  Bod  256" 

(x  y)  nil) 

(defmacroo  low. byte  ; extra  facts  here  because  this  is  used  in  postconditions 

"0  le  X  &  X  le  65535  &  y  =  x  mod  256  &  0  le  y  &  y  le  255  & 

X  =  ((x  /  256)  *  256)  +  y" 

(x  y)  nil) 

The  reader  will  note  that  these  seem  redundant;  some  of  what  is  given  is  a  mathematical 
consequence  of  the  rest.  However,  if  we  left  it  at  that,  we  should  have  to  prove  those 
consequences  at  some  point;  putting  them  instead  in  these  macros  provides  the  simplifier 
more  information  to  work  with,  and  eliminates  (we  hope)  the  need  for  the  user  to  reprove 
these  things. 

The  last  group  of  assertions  is  for  the  case  that  the  initial  value  of  .  cmds_rcvd  is  an  odd 
integer: 

".cmds_rcTd  mod  2=1  — >  #word_cntr  =  .word_cntr  +  1" 

" . cmds_rcwd  mod  2=1 

— >  high.byte(#app_msg[.word_cntr] , .app_msg[.word_cntr]  /  256)" 

".cmds_rcvd  mod  2=1 

— >  low. byte (#app_msg[. word. cntr]  , 

.record(app_msgs.cmd_buf[.continue_build.cmd_buf .index] , 
second.byte))" 

".cmds.rcvd  mod  2=1 
— >  high.byte(#app_msg[.word_cntr  +  1], 

.  r  e  c  or d ( app _ms gs . cmd.buf [ . cont  inue.build . cmd.buf .index] , 
third.byte))" 

" . cmds.rcvd  mod  2=1 

— >  low. byte (#app.iisg[.word_cntr  +  1], 

. record (app.msgs . cmd.buf [ . continue.build. cmd.buf .index] , 
f our th.byt e ) ) " ) ) 

This  group  applies  when  the  number  of  previously  received  commands  is  odd.  In  such  a 
case,  the  high  byte  of  the  last  used  word  in  App.Msg  is  preserved,  and  the  three  bytes  from 
the  current  command  are  inserted  into  the  low  byte  of  that  word,  and  the  two  bytes  of  the 
next  available  word  in  App.Msg. 

This  CONTINUE.BUILD  adalemma  would  normally  be  applied  in  a  situation  in  which  there 
is  a  quantified  statement  expressing  the  relationship  between  the  Cmd.Buf  and  the  current 
contents  of  App.Msg.  The  lemma  must  be  constructed  so  that  its  application  does  not  cause 
the  deletion  of  that  statement  from  the  usablequantifiers  list,  and  so  that  an  appropriately 
enlarged  quantified  statement  can  be  proved  after  the  application  of  the  adalemma.  These 
requirements  translate  into  the  need  for  an  accurate  mod  list,  and  a  complete  rendering  of 
the  new  situation  in  the  postcondition. 


6.4.3  The  “last”  command  case 

The  second  adalemma  for  CONTINUE.BUILD  addresses  the  situation  that  the  current  command 
is  in  fact  the  last  one  required  for  the  build  of  the  message  to  be  complete:  this  occurs  when 
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.cmds_rcvd  =  .niun_cnids_for_app_msg  -  1 

In  tills  case,  not  only  does  C01fTINUE_BUILD  perform  the  same  steps  as  before,  but  it  also 
copies  the  completed  message  into  the  App_Msg_Q.  Therefore  there  are  correspondingly  more 
places  listed  in  the  mod  list  and  more  assertions  in  the  postcondition.^ 

The  adalemma  for  the  “last”  command  is 

(def adalenuna  cont inue_build . data_load_cind . Icist  .not . eeprom. adalenuna 
"msx_program_f inal_version_sans_checksum.a" 
continue_build 

msx_progra]n_f  inal_version_sans_chGcksum .  app_Bisgs .  continue_build 
( " . build_in_progress" 

" .  app_iiisgs .  cnid_status_bu±  [.  continue  _build.  cmd_bui_index]  =  .  ciiid_ok" 

"is .byte ( . start ing_cmd_with_par) " 

" is . byt e ( . cont_cmd) " 

"is.b3rte(.cont_op_code)  " 

".cont_cmd=  .data_load_cmd" 

" .  cont_op_code  =  .cont_aad" 

"1  le  . cmds_rcvd" 

" .  CMds_rcvd  =  .num_cmds_f  or_app_insg  -  1" 

" . ciiids_rcvd  mod  2  =  .cmds_rcvd  -  (.cmds_rcvd  /  2)  •  2" 

".cmds_rcvd  mod  2  =  0  or  .cmds_rcvd  mod  2  =  1" 

".cmds_rcvd  mod  2  =  1  — >  loii.byte(.app_msg[.Bord_cntr]  ,0)" 

"4  le  .word_cntr" 

".Bord_cntr  le  78" 

" is . cmd_bytes_type ( . app_msgs . cmd_buf [ . continue.build . cmd_buf .index] ) " 

"origin (app_msgs.cmd_buf)  le  .continue_build.cmd_buf .index" 

" . continue .build. cmd.buf. index 

le  (originCapp.msgs. cmd.buf )  +  range (app.msgs. cmd.buf ) )  -  1" 

"3  le  .num.Bords.for.app.msg" 

" .num.words.for.app.msg  le  (range (app.msg)  +  origin(app.msg))  -  4" 

"forall  q  (origin(app.msg)  le  q  &  q  le  .word.cntr  — >  is. word ( .app.msg [q]) ) " 
"(.word.cntr  +  2)  -  .cmds.rcvd  mod  2  ge  .num.words.for.app.msg  +  1" 

".app.msg.coxmter  It  .app.msg.q.size" 

"0  le  .q.tail" 

".q.tail  =  0  — >  .app.msg.coimter  =  0" 

".q.tail  le  (range (app.msg.q)  +  origin(app.msg.q))  -  1" 

".q.tail  It  range (app.msg.q)  k  .q.tail  mod  .app.msg.q.size  =  .q.tail  or 
•q.tail  =  range (app.msg.q)  k  .q.tail  mod  .app.msg.q.size  =  0" 

"30  mod  30  =  0" 

"  is .  byt  e  ( .  app.msg  [2]  )  " 

®  Actually,  there  is  a  further  case  distinction  made  in  C0NTINUE3UILD:  whether  the  message  completed  is  a 
RAJLMeiLLoad,  a  EEPROHJtemJLoad,  or  a  HeiiLDumpJC.Frames  message;  in  any  of  these  cases  further  processing 
of  the  message  is  performed  before  it  is  placed  in  the  AppJIsgJ).  But  we  are  restricting  consideration  in  this 
report  to  the  Data.StrucXoad  messages,  which  do  not  require  any  further  processing.  Nevertheless,  we  have 
proved  the  adalemma  for  even  the  more  complex  situation  of  the  other  message  types  mentioned.  This  third 
CONTINUELBUILD  adalemma  will  be  listed  at  the  end  of  this  section,  but  will  not  be  discussed  further. 
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".app_msg[2]  ■■=  .ram_iiem_load" 

" .  app_iBsg  [2]  .  eeprom_Mem_load" 

".app_*sg[2]  “=  .■em_duiBp_x_frames") 

(Bord_ciitr 

(element  app_msg  (minus  (plus  (dot  Bord_cntr)  1)  (mod  (dot  cmds_rcvd)  2))) 
(element  app_msg  (minus  (plus  (dot  word_cntr)  2)  (mod  (dot  cmds_rcvd)  2))) 
cmds_rcTd 
q_tail 

num_words_f or_app_msg 

(slice  (element  app_msg_q  (plus  (mod  (dot  q_tail)  (dot  app_msg_q_size) )  1)) 

1 

(plus  (dot  num_Bords_for_app_msg)  1)) 

(element  (element  app_msg_q  (plus  (mod  (dot  q_tail)  (dot  app_msg_q_si2e))  1)) 
(dot  app_msg_max) ) 
app_msg_counter 
cmd_ 1 ast _ app_msg 
build_in_progress) 

("forall  q  (origin(app_msg)  le  q  &  q  le  #¥ord_cntr  — >  is.word(.app_msg[q]))" 
"forall  q  (1  le  q  ft  q  le  .num_Bords_f or_app_msg 

— >  #app_msg_q[.q_tail  mod  .  app_msg_q_size  +  1]  [q] 

=  #app_msg[q  +  1])" 

"#¥ord_cntr  =  (.¥ord_cntr  +  2)  -  .cmds.rcvd  mod  2" 

"#cmds_rc¥d  =  .cmds_rcvd  +  1" 

".cmds_rcTd  mod  2=0  — >  #¥ord_cntr  =  .¥ord_cntr  +2" 

" . cmds_rcTd  mod  2=0 

— >  high.byte(#app_msg[.¥ord_cntr  +  1], 

.record(app_msgs . cmd^irf [•  continue_build. cmd_buf _inder]  , 
second_byte))" 

" . cmds_rcTd  mod  2=0 
— >  lo¥.byte(#app_msg[.¥ord_cntr  +  1], 

. rec  ord ( app_msgs . cmd_buf [ . cont inue_build . cmd_buf _  index] , 
third_byte))" 

" . cmds_rcvd  mod  2=0 
— >  h.igh..byte(#app_msg[.¥ord_cntr  +  2], 

. record (app_msgs . cmd_buf  [. continue_build. cmd_buf _index] , 
fourth_byte))" 

".cmds_rcvd  mod  2=0  — >  lo¥.byte(#app_msg[.¥ord_cntr  +  2],0)" 

".cmds_rcvd  mod  2=1  — >  #¥ord_cntr  =  .¥ord_cntr  +1" 

" . cmds_rcvd  mod  2=1 

— >  high.byte(#app_msg[.¥ord_cntr] , .app_msg[.¥ord_cntr]  /  256)" 

" . cmds_rcvd  mod  2=1 

— >  lo¥.byte(#app_msg[.¥ord_cntr] , 

. record (app_msgs . cmd_buf [ . continue .build. cmd.buf .index] , 
second.byte))" 

" . cmds.rcvd  mod  2=1 
— >  high.byte(#app.msg[,¥ord.cntr  +  1], 

.  record (app.msgs. cmd.buf [.cont inue_build.cmd.buf. index] , 
thixd.byte) ) " 

" . cmds.rcvd  mod  2=1 
— >  lo¥.byte(#app_msg[.¥ord_cntr  +  1], 

.record (app.msgs . cmd.buf [. continue .build. cmd.buf.index] , 
f ourth.byt e) ) " 

"tq.tail  =  .q.tail  mod  .app.msg.q.size  +  1" 

"origin(app_msg_q)  le  #q_tail  ft 

#q_tail  le  (range (app_msg_q)  +  origin (app.msg.q) )  -  1" 


50 


"#mim_words_for_app_iiisg  =  .niim_¥ords_f  or_app_insg  +  1" 

"#app_msg_q[.q_tail  aod  . app_iiisg_q_size  +  1]  [ . app_msg_iQax] 

=  #num_words_for_app_iiisg  -  1" 

"#app_nisg_counter  =  .  app_nisg_counter  +  1" 

"#build_in_progress  =  false")) 

The  precondition,  mod  list,  and  postcondition  of  this  adalemma  are  each  an  extension  of 
the  corresponding  part  of  the  first  adalemma.  We  shall  discuss  only  the  differences. 

In  the  precondition,  there  are  assertions  concerning  .nuin_ffords_for_app_msg,  which  express 
what  is  known  about  this  quantity  at  times  when  CONTINUE_BUILD  is  invoked.  There  are 
several  assertions  about  .q_tail,  which  serve  to  place  it  in  the  correct  range,  and  also 
to  guide  the  simplifier  in  determining  bounds  on  the  new  value,  #q_tail.  This  includes 
arithmetical  facts  about  the  result  of  using  the  mod  function,  which  are  mathematically 
true  but  not  automatically  available  to  the  simplifier.  The  initial  value  for  .q_tail  is  0, 
but  once  anything  has  been  written  into  the  App_Msg_Q,  Q_tail  is  never  again  0.  Thus, 
.q_tail  =  0  — >  .app_msg_counter  =  0  is  true,  although  this  fact  is  never  used  anywhere 
in  the  proof.  (Note  that  the  converse  does  not  hold:  .app_msg_q  =  0  is  possible  even 
when  .q_tail  "=  0.)  The  “30  mod  30  =  0”  is  present  merely  to  coax  the  simplifier  in  the 
right  direction;  this  fact  is  automatically  known  if  the  simplifier  is  interrogated  about  it, 
but  apparently  the  act  of  interrogation,  or  including  it  in  the  precondition,  increases  its 
availability  for  other  behind-the-scenes  work  of  the  simplifier.  Inserting  this  arithmetical 
fact  in  the  precondition  saves  a  few  “notice”  commands  later  on  in  the  proof.  App_Msg(2) 
contains  the  message  id  in  its  low-order  byte.  The  exact  value  of  .app_msg[2]  would  likely  be 
known  to  the  simplifier  at  the  moment  of  any  particular  application  of  this  adalemma,  but 
we  are  stating  and  proving  the  adalemma  in  a  general  situation  without  any  knowledge  of  an 
exact  value.  Thus,  we  have  precondition  assertions  giving  needed  facts  about  .app_msg[2].^° 

The  mod  hst  is,  in  user-interface  instead  of  lisp  notation, 

¥ord_cntr, 

app_msg[.¥ord_cntr+l-(.aii<is_rcTd  mod  2)], 
app_msg[.Bord_cntr+2-(.cmds_rcTd  mod  2)], 
cmds_rcvd, 
q_tail , 

HTxm_Bords_f  or_app_msg , 

app_msg_q[.q_tail  mod  . app_msg_q_size  +  1] [1 : .num_¥ords_for_app_msg  +  1], 
app_msg_q[.q_tail  mod  . app_msg_q_size  +  1] [.app_msg_max] , 
app_msg_counter , 
build_  iii_progress 

The  additional  places  are  simply  those  that  may  be  altered  when  the  completed  message  is 
copied  into  the  App_Msg_Q. 

The  additional  parts  of  the  postcondition  are  mostly  self-explanatory,  merely  expressing 
what  is  accomplished  by  the  additional  code  executed  in  the  case  of  a  completed  message. 
Noteworthy  are  the  assertions  concerning  .app_msg_q: 

particular,  the  cissertions  that  the  current  message  is  not  one  of  RAH-HeiuXoad,  EEPR0MJlem_Load,  or 
Hem_Dump  J(  JFr  ame  s . 
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"forall  q  (1  le  q  &  q  le  .num_words_for_app_msg 

— >  #app_msg_q[.q_tail  mod  . app_msg_q_size  +  1]  [q]  =  #app_msg[q  +  1])" 
"#app_msg_q[.q_tail  mod  . app_msg_q_size  +  1]  [ . app_msg_mac£] 

=  #inm_Bords_for_app_msg  -  1" 

These  indicate  that  the  completed  message  has  been  copied  to  the  App_Msg_Q. 

The  two  adalemmas  we  have  given  suffice  for  handling  the  calls  to  C0NTINUE_BUILD  when  the 
message  being  built  is  a  Data_Struc_Load.  We  also  proved  an  adalemma  for  the  remaining 
cases  of  the  Data_Load_Cmd,  namely  that  it  is  one  of  RAM_Mem_Load,  EEPROM_Mem_Load,  or 
Mem_Dump_X_FraiBes.  This  we  present  here,  but  we  shall  not  discuss  it  further  in  this  report: 

(def adalemma  cont inue.build . data_load_cmd . last . eeprom . adalemma 
"msx_progr2im_final_Tersion_saiis_checksum.a" 
contiinie_build 

msx_program_f  iiial_Tersion_sans_ch.ecksum.  app_msgs .  contiiiue_build 
(". build. in.progress" 

" . app.msgs . cmd.status.buf [. continue .build. cmd.buf .index]  =  . cmd.ok" 

" is . byte ( . start ing.cmd.with.par ) " 

"is . byte (. cont.cmd) " 

"is .byte ( . cont.op.code) " 

".cont.cmd  =  .data.load.cmd" 

".cont.op.code  =»  .cont.cmd" 

"1  le  .cmds.rcTd" 

" .  cmds.rcvd  *  .ntim.cmds.f  or.app.msg  -  1" 

".cmds.rcvd  mod  2  =  .cmds.rcvd  -  (.cmds.rcvd  /  2)  ♦  2" 

".cmds.rcvd  mod  2  =  0  or  .cmds.rcvd  mod  2=1" 

".cmds.rcvd  mod  2=1  — >  lov.byteC .app.msgf.word.cntr] ,0) " 

"4  le  .vord.cntr" 

".word.cntr  le  78" 

"is. cmd.bytes.type( . app.msgs . cmd.buf  [. continue .build. cmd.buf .index] ) " 

"originCapp.msgs. cmd.buf )  le  . continue .build. cmd.buf .index" 

" . continue.build. cmd.buf .index 

le  (originCapp.msgs. cmd.buf )  +  range (app.msgs. cmd.buf))  -  1" 

"3  le  .num.words.f or.app.msg" 

" .num.words.f or.app.msg 

le  ( (range (app.msg)  +  origin(app.msg))  -  1)  -  3" 

"forall  q  (origin(app.msg)  le  q  &  q  le  .word.cntr  — >  is.word (. app.msg [q]))" 
"(.word.cntr  +  2)  -  .cmds.rcvd  mod  2  ge  .num.words.f or.app.msg  +1" 

" . app.msg.counter  It  .app.msg.q.size" 

"0  le  .q.tail" 

".q.tail  =  0  — >  .app.msg.counter  =  0" 

".q.tail  le  (range (app_msg_q)  +  origin(app.msg.q))  -  1" 

".q.tail  It  range (app.msg.q)  k 

.q.tail  mod  . app.msg.q.size  +  1  =  .q.tail  +  1  or 
.q.tail  =  range (app_msg_q)  k 

.q.tail  mod  .app.msg.q.size  +1=1" 

"30  mod  30  =  0" 

" . app.msg [2]  =  . eeprom.mem.load") 

(word.cntr 

(element  app.msg  (minus  (plus  (dot  word.cntr)  1)  (mod  (dot  cmds.rcvd) 

2))) 

(element  app.msg  (minus  (plus  (dot  word.cntr)  2)  (mod  (dot  cmds.rcvd) 

2))) 


52 


ciiids_rcvd 

(element  app_msg  1) 

(element  app_msg  2) 

(element  app_msg  3) 
q_tail 

nxm_¥ords_for_app_msg 

(slice  (element  app_msg_q  (plus  (mod  (dot  q_tail)  (dot  app_msg_q_size)) 

1))  1  (plus  (dot  num_words_for_app_msg)  1)) 

(element  (element  app_msg_q  (plus  (mod  (dot  q_tail)  (dot  app_msg_q_size))  1)) 

(dot  app_msg_mai) ) 
app_msg_counter 

cmd_lcist_app_msg 

build_in_progress) 

("forall  q  (origin(app_msg)  le  q  &  q  le  #word_cntr  — >  is.Bord(.app_msg[q]))" 
"forall  q  (1  le  q  ft  q  le  .num_¥ords_for_app_msg 

— >  #app_msg_q[.q_tail  mod  .  app_msg_q_size  +  1]  [q]  =  #app_msg 

[q])" 

"#¥ord_cntr  =  (.¥ord_cntr  +  2)  -  .cmds_rcTd  mod  2" 

"#cmds_rcTd  =  .cmds_rcvd  +1" 

" . cmds_rcvd  mod  2=0  — >  #¥ord_cntr  =  . ¥ord_cntr  +  2" 

" . cmds_rc7d  mod  2=0 

— >  high.byte(#app_msg[.¥ord_cntr  +  1], 

. record (app_msgs . cmd_buf  C.continue_build. cmd_buf _inder] , 
second^yte))" 

" . cmds_rcTd  mod  2=0 

— >  lo¥.byte(#app_msg[.¥ord_cntr  +  1], 

.record(app_msgs . cmd_buf  [ . continue_bviild.  cmd_buf_ index]  , 
th.ird_byte))" 

*' .  cmds_rcTd  mod  2  =  0 

— >  high.byte(#app_msg[,¥ord_cntr  +  2], 

.  record (app_msgs . cmd_bu± [ . cont inue_build . cmd_buf_ index] , 
f ourth_byte) ) " 

".cmds_rcvd  mod  2=0  — >  lo¥,byte(#app_msg[.¥ord_cntr  +  2],0)" 

".cmds_rcTd  mod  2=1  — >  #¥ord_cntr  =  .¥ord_cntr  +  1" 

".cmds_rcvd  mod  2=1 

— >  high.byte(#app_msg[.¥ord_cntr] , .app_msg[.¥ord_cntr]  /  256)" 

" .  cmds_rcvd  mod  2  =  1 

— >  lo¥.byte(#app_msg[.¥ord_cntr] , 

. record (app_msgs . cmd_buf [ . continue_build. cmd_buf _index] , 
second_byte))" 

" . cmds_rcvd  mod  2=1 

— >  bigh.byte(#app_msg[.¥ord_cntr  +  1], 

.  record (app_msgs . cmd_buf [ . continue_bnild . cmd_buf _indei] , 
tbird_byte)  )  " 

" . cmds_rcvd  mod  2=1 

— >  lo¥.byte(#app_msg[.¥ord_cntr  +  1], 

. record ( app_msgs . cmd_buf [ . cont inue_build . cmd_buf _index] , 
f  ourth_b3rte)  )  " 

"#app_msg[l]  =  .app_msg[2]" 

"#app_msg[2]  =  .app_msg[3]  /  256" 

"#app_msg[3]  =  .app_msg[3]  mod  256" 

"#q_tail  =  .q_tail  mod  .app_msg_q_size  +  1" 

" origin (app_msg_q)  le  #q_tail  ft 

#q_tail  le  (range (app_msg_q)  +  origin(app_msg_q))  -  1" 

"#num_¥ords_f or_app_msg  =  .num_¥ords_f or_app_msg  +  1" 
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"#app_Hsg_q[.q_tail  mod  . app_msg_q_size  +  1]  [. app_msg_max] 
=  #num_words_f  or_app_iiisg" 

"#app_msg_couiiter  =  .  app_iisg_counter  +  1" 
"#build_in_progress  =  false")) 


It  should  be  noted  that  the  proofs  for  the  adaJemmas  in  the  “last”  command  cases  do  not 
close  properly.  They  fail  during  the  final  steps  of  undeclaration  of  local  variables,  at  a  point 
where  aU  goals  apart  from  the  “exited”  condition  have  been  proved.  We  have  determined 
that  the  problem  is  due  to  a  bug  in  SDVS,  in  which  a  wrong  choice  is  made  for  a  symbol 
to  be  used  for  a  subprogram  variable.  The  bug  is  possibly  some  type  of  “off  by  one”  error. 
Since  all  other  goals  are  proved  before  the  bug  manifests,  we  expect  that  the  same  proofs 
we  have  developed  wiU  close  properly  when  the  bug  is  fixed. 
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7  Conclusions 


The  primary  purpose  of  this  verification  effort  was  to  stress-test  SDVS  and  help  us  formulate 
further  research  and  development  strategies.  This  project  lasted  only  a  year,  and  because 
(1)  this  was  the  first  large  Ada  application  verified  and  (2)  SDVS  development  occurred 
concurrently  with  the  program  verification,  we  were  restricted  in  the  complexity  of  the 
specification  and  amount  of  code  that  could  be  tackled.  However,  we  found  this  experience 
very  important  for  identifying  weak  and  missing  features  in  the  tools  and  underlying  theory, 
and  it  is  helping  us  prioritize  future  research  and  development  tasks  (see  [6]  for  details). 

This  application  has  confirmed  our  belief  that  it  is  not  always  clear  how  to  scale  up  (i.e., 
to  verify  large  applications)  from  experiences  with  small  examples.  The  Ada  program  we 
verified  was  by  far  the  largest  Ada  program  to  be  translated  by  the  SDVS  Ada  translator, 
and  we  ran  into  unexpected  storage  and  time  problems.  Perhaps  some  of  these  problems 
are  unavoidable  given  the  size  of  the  program.  But  it  was  only  towards  the  end  of  the 
project  that  we  took  a  more  promising  approach  to  the  verification  of  the  program:  proving 
adalemmas  for  some  of  the  more  important  subprograms.  The  incorporation  of  these  lemmas 
into  the  proof  not  only  modularizes  it  but  shortens  it  considerably  as  well.  The  reason  we 
did  not  start  out  with  the  adalemma,  approach  is  that  we  thought  it  would  be  too  time- 
consuming  and  difficult  within  one  year.  But  we  were  mistaken:  our  original  proof  strategy 
without  adalemmas  -  while  more  straightforward  -  ultimately  proved  too  time-consuming. 

Apart  from  stress-testing  SDVS,  the  verification  project  allowed  us  to  enhance  the  SDVS 
Ada  translator  and  add  to  the  system  three  new  proof  commands  that  should  facilitate  long 
proofs. 

Had  we  more  time  to  work  on  the  project,  we  would  prove  more  adalemmas  about  some 
of  the  key  subprograms  (such  as  CMDJNJIANDLER)  and  try  to  prove  correctness  assertions 
about  more  general  schedulers  and  more  realistic  input  conditions. 
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8  Appendix  A  —  The  Annotated  Program 


— SDVS  comment 
— SDVS  comment 
— SDVS  comment 
— SDVS  comment 
— SDVS  comment 
— SDVS  comment 
— SDVS  comment 
— SDVS  comment 
— SDVS  comment 
— SDVS  comment 
— SDVS  comment 
— SDVS  comment 
— SDVS  comment 
— SDVS  comment 
— SDVS  comment 
— SDVS  comment 
— SDVS  comment 
— SDVS  comment 
— SDVS  comment 
— SDVS  comment 
— SDVS  comment 
— SDVS  comment 
— SDVS  comment 
— SDVS  comment 
— SDVS  comment 
— SDVS  comment 


We  deleted  definitions,  object  declarations,  task  declarations, 
and  subprogram  declarations  that  ue  did  not  need  from  several  of 
the  packages  below.  But  we  did  not  delete  completely  anything 
from  subprograms  we  use;  if  we  did  not  need  a  particular  statement 
in  a  subprogram,  we  commented  it  out;  the  statement  appears,  but 
only  as  a  comment.  The  eiceptions  to  the  rule  are:  (1)  the 
subprogram  STORE_DATA_STRUC_IN_EEPROM  in  the  package  EEPROM_DATA 
which  bears  no  relation  to  the  real  one,  (2)  the  function 
CHECK_PARITY  in  the  ASM_imLITY  package  whose  body  is  written  in 
1750A  assembly,  (3)  CHG.STATE  and  RETRIEVE. CUR.STATE  in  the 
package  MODE.STATE  which  are  used  to  give  us  permission  to  write 
to  EEPROM,  and  (4)  the  procedure  REPORT_SYSTEM_ERRDR  in  the 
package  TM.DATA  which  is  used  to  report  errors.  The  packages 
SERIAL_DIG_CMDS  and  APP.MSGS  are  presented  in  their  entirety.  For 
our  purposes,  the  packages  GLOBAL.TYPES ,  CHDS.TYPES,  and 
TRKIKG_DATA_STRDC  contain  only  t3rpe  definitions  and  object 
decl«irations  used  by  SERIAL_DIG_CMDS  and  APP.MSGS. 

Our  deletions  by  comment  are  prefixed  by  ‘‘ — SDVS  delete:’’  or  by 
‘‘ — SDVS  delete  (’reason’),”  where  ’reason’  is  one  of  the 
reasons  discussed  in  Section  4:  for  example,  “ — SDVS  delete 
(1750A)”  means  the  deleted  line  includes  a  routine  whose  body  is 
written  in  1750A  assembly  language.  If  the  deleted  line  is 
prefixed  ‘‘ — SDVS  delete:,”  the  reason  is  given  either  within  a 
few  lines  preceding  the  deletion,  or  at  the  beginning  of  the 
subprogram  in  which  the  statement  appears. 


with  text.io;  use  text.io;  — SDVS  add  for  SDVS  input  and  output 
with  integer.io;  use  integer.io;  —SDVS  add  for  SDVS  input  and  output 


procedure  MSX_PROGRAM_FINAL_VERSION  is 


— SDVS  comment:  LONG.INTEGER  and  LONG.FLOAT  are  not  standard  Ada  types.  We  provide 
— SDVS  comment:  the  SDVS.PACKAGE  below  for  these  t3rpe  definitions. 


package  SDVS_PACKAGE  is  —SDVS  add 

subtype  LONG.INTEGER  is  INTEGER;  —SDVS  add 
subtype  LONG.FLOAT  is  FLOAT;  —SDVS  add 
end  SDVS_PACKAGE;  —SDVS  add 
use  SDVS.PACKAGE;  —SDVS  add 


—  $users: [na.adacode.bldl]global_types.ads 

GLOBAL.TYPES.ADS 

—  TYPE:  Package  Specification 

—  PURPOSE  :  This  package  contains  the  types  used  throughout 

the  tracking  processor  software. 


—  EXCEPTIONS: 


--  MOTES: 


—  CHANGE  HISTORY: 

m/dd/yy  ?.  ?????  Initial  Version 


package  GLOBAL_TYPES  is 

— SDVS  coiment:  L0NG_W0RD  type  is  used  only  in  MEMORY_HANAGER  and  in  ARRAY_0F_BL0CKS 
— SDVS  coment:  It  is  not  used  in  the  code  we  uill  need. 

--SDVS  delete:  type  LONG.WORD  is  range  0. .2147483647; 

— SDVS  delete:  for  LONG.WORD’size  use  32; 

type  WORD  is  range  0.. 65535; 
for  WORD ’size  use  16; 

—  Bit  Sliced  Unsigned  Integer  Definitions. 

—  "WORD"  is  used  for  16  bits  and  "BYTE"  is  used  for  8  bits. 


—SDVS 

comment 

:  types  B15  . .  B1  are 

never  used  in  any  part  of  the  target  code 

—SDVS 

delete: 

type  B15  is  range  0. 

.32767; 

—SDVS 

delete: 

for  B15’size  use  15 

I 

—SDVS 

delete: 

type  B14  is  range  0. 

.16383; 

—SDVS 

delete: 

for  B14’size  use  14 

i 

—SDVS 

delete: 

type  B13  is  range  0. 

.8191; 

—SDVS 

delete: 

for  B13’size  use  13 

> 

—SDVS 

delete: 

type  B12  is  range  0. 

.4095; 

—SDVS 

delete: 

for  B12’size  use  12; 

—SDVS 

delete: 

type  Bll  is  range  0. 

.2047; 

—SDVS 

delete: 

for  Bll’size  use  11 

t 

—SDVS 

delete: 

type  BIO  is  range  0. 

.1023; 

—SDVS 

delete: 

for  BIO ’size  use  10; 

— SDVS  delete:  type  B9  is  range  0.. 
— SDVS  delete:  for  BS’size  use  9; 

type  BYTE  is  range  0 . . 255 ; 
for  BYTE ’size  use  8; 

511; 

—SDVS 

—SDVS 

delete: 

delete : 

type  B7  is  range  0.. 
for  B7’size  use  7; 

127; 

—SDVS 

—SDVS 

delete: 

delete: 

type  B6  is  range  0 . . 
for  B6’size  use  6; 

63; 

—SDVS 

—SDVS 

delete : 

delete: 

type  B5  is  range  0 . . 
for  B5’size  use  5; 

31; 
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— SDVS  delete: 
— SDVS  delete: 

—SDVS  delete: 
—SDVS  delete: 

—SDVS  delete: 
—SDVS  delete: 

—SDVS  delete: 
—SDVS  delete: 


type 

B4 

is  range 

0. 

.15; 

for 

B4 

’size  use 

4; 

type 

B3 

is  range 

0. 

.7; 

for 

B3 

’size  use 

3; 

type 

B2 

is  range 

0. 

.3; 

for 

B2 

’size  use 

2; 

type 

B1 

is  range 

0. 

.1; 

for  Bl’size  use  1; 

— sdvs  coBunent:  Only  used  in  package  TRKING_DATA_STRUC ,  in  parts  that  we  will  not  need. 
—SDVS  delete:  type  BYTE.INTEGER  is  range  -128..  127; 

—SDVS  delete:  for  BYTE_INTEGER>Size  use  8; 


— SDVS  comment :  Never  used  in  any  part  of  the  target  code . 

—SDVS  delete:  type  WORD_ARRAY_TYPE  is  array  (INTEGER  range  <>)  of  WORD; 

— SDVS  comment :  Never  used  in  any  part  of  the  target  code . 

—SDVS  delete:  type  BYTE_ARRAY_TYPE  is  array  (INTEGER  range  <>)  of  BYTE; 

— SDVS  comment:  Only  used  in  the  package  TRKING_DATA_STR'tJC  in  peirts  that  we  will  not  need. 
—SDVS  delete:  type  ARRAY_QF_FLOAT_TYPE  is  array  (INTEGER  range  <>)  of  FLOAT; 


— SDVS  comment:  Only  used  in  the  package  TRKING_DATA_STRUC,  in  parts  that  we  will  not  need. 
—SDVS  delete:  type  ARRAY_OF_LONG_FLOAT_TYPE  is  array  (INTEGER  range  <»  of  LONG.FLOAT; 


type  ia_STATUS_TYPE  is  array  (0..15)  of  BOOLEAN; 

— SDVS  delete  (pragma):  pragma  pack(IO_STATUS_TYPE) ; 

end  GLOBAL.TYPES; 


—SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS 
— SDVS  The  three  package  instantiations  below  are  not  part  of  the  original 
— SDVS  MSX  software  and  are  not  a  part  of  the  code  translated  by  the  SDVS 
— SDVS  translator.  However  these  instantiations  are  needed  to  compile  and 
— SDVS  execute  the  code  with  the  Verdix  compiler  at  Aerospace  and  are 
— SDVS  required  by  standard  Ada  compilers.  They  are  needed  for  the  ‘'get” 

—SDVS  for  objects  of  type  WORD  in  SERIAL_DIG_CMDS.CMD_IN_HANDLER, 

— SDVS  the  ‘‘put”  for  objects  of  type  INTEGER  in 

—SDVS  EEPROM_DATA.STDRE_DATA_STRUC_IN_EEPROM,  and  the  ‘‘put”  for 

—SDVS  objects  of  type  BYTE  in  TM_DATA.MANAGE.REPORT_SYSTEM_ERRDR. 

—SDVS 

—SDVS  package  NE¥_W0RD_ID  is  new  INTEGER.IO (GLOBAL.TYPES .WORD)  ;  use  NEW.WORD.IO; 
—SDVS  package  NEW.INTEGER.IO  is  new  INTEGER.IO (INTEGER) ;  use  NEW.INTEGER.IO ; 
—SDVS  package  NEW.BYTE.IO  is  new  INTEGER.IO  (GLOBAL.TYPES.  BYTE)  ;  use  NEW.BYTE.IO; 
—SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS 


ASM.UTILITY.ADS 
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—  TYPE:  Package  Specification 

—  PURPOSE  :  This  package  contains  the  utility  subroutines 

written  in  the  1750A  assembly  language. 

--  EXCEPTIONS: 

—  NOTES: 

—  CHANGE  HISTORY: 

10/16/91  B.  Na  Initial  Version 


— SDVS  delete  (with):  with  SYSTEM; 
package  ASM.UTILITY  is 

— SDVS  delete  (1750A,  pragma):  Pragma  Foreign_Body  ("Assembler"); 

—SDVS  delete  (1750A):  Function  CHECK.PARITY  (Address  :  in  SYSTEM. ADDRESS) 
—SDVS  return  BOOLEAN; 

Function  CHECK.PARITY  return  BOOLEAN;  — SDVS  replace 
— SDVS  delete  (1750A,  pragma):  Pragma  Linkage_Name  (CHECK .PARITY  , 

—SDVS  "CHECK.PARITY") ; 


end  ASM.UTILITY; 


— $users : [na . adacode . bld2] serial_dig_cmds . ads 


SERIAL.DIG.CMDS.ADS 


—  TYPE:  Package  Specification 

—  PURPOSE  :  This  package  contains  software  to  support  the 

interface  with  the  serial  digital  command  system. 

The  hierachy  of  subprograms  in  this  package  is 
as  follows: 

I.  RET_CMD_C0UNT  (Called  by  the  task  APP.HSGS .BUILD) 

II.  RET_CMD_BUF_AND_STATUS  (Called  by  the  task  APP.MSGS. BUILD 
when  the  command  count  is  >  0) 

III.  CMD_IN_HANDLER  (This  is  the  standard  interrupt  handler  for 
the  short  data  command  interrupt.  When  a  short  data 
command  interrupt  occ\ires,  control  is  vectored  to 
TP_STD_INT_PROC_SERVICE_SETUP,  in  turn 

TP_STD_IMT_PROC_SERVICE_SETDP  calls  this  routine  to  service 
the  interrupt . ) 

—  EXCEPTIONS: 

—  NOTES: 
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—  CHANGE  HISTORY: 

10/16/91  B.  Na  Initial  Version 


— SDVS  delete  (with):  with  GLQBAL_TyPES ; 

package  SERIAL_DIG_CHDS  is 

type  CMD_BYTES_TYPE  is  record 
First _Byte  :  GLOBAL.TYPES.BYTE; 

Second_Byte  :  GLOBAL.TYPES.BYTE; 

Third_Byte  :  GLOBAL.TYPES.BYTE; 

Fourth_Byte  :  GLOBAL.TYPES.BYTE; 
end  record; 

— SDVS  delete  (pragma):  pragma  pack (Cmd.Bytes.Type) ; 

Cmd.Buf.Size  :  constant  INTEGER  :=  70;  —  37.5  interrupts/sec 

type  CMD.BUF.TYPE  is  array  (1 .. Cmd.Buf.Size)  of  CMD.BYTES.TYPE; 
type  CHD_STATUS.BUF.TYPE  is  array  ( 1 .. Cmd.Buf.Size)  of  INTEGER; 

—  The  following  defines  the  possible  command  status  values  with  the 

—  two  exceptions: 

(1)  Cmd.Lost  is  allowed  only  lor  the  last  (70th)  command 
in  the  buffer. 

(2)  Cmd.Lost  and  Cmd.FIFO.Not.Empty  are  ORed  to  the  rest  of 
other  status  values. 


Cmd.OK  :  constant  INTEGER  :=  0; 

App.Msg.Dropped  :  constant  INTEGER  :=  1; 

Bad. Checksum  :  constant  INTEGER  :=  2; 

Flushed.prior .Build  :  constant  INTEGER  :=  3; 

Invalid.Data.Struct.Hsg.ID  :  constant  INTEGER  :=  4; 
Invalid.Starting.Cmd  :  constant  INTEGER  :=  5; 


App.Msg.Overwritten  ; 

:  constant 

INTEGER 

:=  6; 

—  These  are  checked  by 
--  by  SERIAL.DIG.CMDS . 

Cmd.Bad.Parity 

;  constant 

INTEGER 

:=  7; 

—  Pcirity  of  the  command  is 

—  not  odd. 

Cmd.Lost  ; 

;  constant 

INTEGER 

:=  8; 

—  New  command  is  lost 

—  because  the  command  buffer 

—  is  full. 

Cmd.FIFO.Not.Empty 

:  constant 

INTEGER 

:=  16; 

—  The  command  in  FIFO  is  not 

—  empty  after  one  command 

—  (4  bytes)  is  read. 

—  function/ procedure  specifications 

function  RET.CMD.COUNT  return  INTEGER; 

procedure  RET.CHD.BUF.AND.STATUS 

(Cmd_Buf  ;  out  CMD.BUF.TYPE; 

Cmd.Status.Buf  :  out  CMD.STATUS.BUF.TYPE; 
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CBd_Coimt  :  out  IHTEGER; 

FIFO_Not_EBpty_Count  :  out  INTEGER; 

IO_Status_¥ord  :  out  GLDBAL_TYPES . WORD ; 

Lost_CBd  :  out  BOOLEAN) ; 


— SDVS  comment:  The  function  RET_MSG_ID  has  been  added 

— SDVS  comment:  for  the  scheduler.  It  returns  the  message  identifier  for 
— SDVS  comment :  the  next  block  of  commands  in  the  input  encoding  a  message . 
function  RET_MSG_ID  return  GLOB AL.TYPES. BYTE;  —SDVS  add 

procedure  CMD_IN_HANDLER; 

— SDVS  delete  (pragma):  pragma  linkage_name(CMD_IN_HANDLER,  "CHD_IN_HANDLER") ; 
end  SERIAL_DIG_CMDS; 

—  $users:  [na.adacode.bld2.longload.dslcmds_t3rpes.ads 


CMDS.TYPES.ADS 


—  TYPE:  Package  Specification 

—  PURPOSE  :  This  package  defines  the  data  types  that  axe 

—  commonly  used  by  the  Process  Commands  group  packages. 

—  EXCEPTIONS: 

—  NOTES: 

—  CHANGE  HISTORY: 

mm/dd/yy  B.  Na  Initial  version 


package  CMDS_TYPES  is 

App_Msg_Max  :  constant  INTEGER  :=  80; 

— SDVS  comment :  The  predefined  t3rpe  POSITIVE  is  not  implemented  in  SDVS . 

— SDVS  delete:  subtype  INDEX_SUBTYPE  is  POSITIVE  range  1 . . App_Hsg_Max ; 

subtype  INDEX_SUBTYPE  is  INTEGER  range  1 . . App_Hsg_Hax ; — SDVS  replace 
— SDVS  comment:  SDVS  does  not  currently  handle  unconstrained  array  types. 

— SDVS  delete  (unconstrained  etrray)  :  t3rpe  APP_MSG_OUT_TYPE  is 
—SDVS  cont:  array  (INDEX.SUBTYPE  rangeO)  of  INTEGER; 

type  APP_MSG_OUT_TYPE  is  array  (1  .  .  App_Msg_Max)  of  INTEGER;  —SDVS  replace 

Load_Msg_Max  :  constant  INTEGER  :=  127; 

type  LOAD_MSG_TYPE  is  array  (1 . .Load_Msg_Hai)  of  INTEGER; 

end  CMDS.TYPES; 


MODE.STATE.ADS 


—  TYPE:  Package  Specification 

—  PURPOSE  :  BOGUS  MODE_STATE! 
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—  EXCEPTIONS: 


—  NOTES: 

—  CHANGE  HISTORY: 

mm/dd/yy  ?.  ?????  Initial  Version 


package  MODE_STATE  is 

type  MODE_STATE_TYPE  is  (Pooer_Up,  Init_Setup,  Init_EEPROM_Write, 

Init .Memory _Load,  Init_Memory_Dump , 
Tracking.Setup ,  Tracking) ; 

type  STATUS_OF_REQUEST_TYPE  is  (State.Granted,  State.Denied) ; 
procedure  PERFORM.SQFT.RESET; 

function  RETRIEVE_COR_STATE  return  MODE_STATE_TYPE; 

procedure  CHG_STATE(Mode_State_Req  :  in  MODE_STATE_TYPE ; 

Status.Of.Request  :  out  STATUS.OF.REQUEST.TYPE) ; 


end  MODE.STATE; 

—  $users; [na.adacode.bld2.1ongload.ds]eeprom_data.ads 


EEPRaM_DATA.ADS 


—  TYPE:  Package  Specification 

—  PURPOSE:  This  package  stores  and  retrieves  EEPROH  data. 

There  are  three  types  of  EEPROH  data  stored  and 
retrieved  by  this  package; 

1 .  data  structure 

2.  specific  memory  (EEPROH)  load  data 

3 .  miscellaneoiis  system  variable  data 

The  hierarchy  of  external  subprograms  in  this  package 
is  as  follows: 

I.  STORE_DATA_STRUC_IN_EEPROM  (called  by  APP_MSGS.PROCESS_MSG 

and  ARRAY_OF_BLOCKS.PROCESS_MSGS_IN_BLOCKS) 

II.  RET_DATA_STRUC_IN_EEPROH  (called  by  TRKING.PARAMS.INIT.PARMS) 

III.  RET_SYS_CONFIG  (called  by  APP.MSGS .PROCESS.MSG  on  powerup) 

IV.  WRITE_LOAD_DATA_Ta_EEPROM  (called  by  APP.MSGS .PROCESS.HSG 

and  ARRAY_OF_BLOCKS.PROCESS_MSGS_IN_BLOCKS) 

—  EXCEPTIONS: 
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—  NOTES: 


—  CHANGE  HISTORY:  01/31/92  B.  Na  Initial  Version 


— SDVS  delete  (with):  with  GLOBAL.TYPES ; 
— SDVS  delete  (with):  with  CMDS.TYPES; 


package  EEPROM_DATA  is 

procedure  STORE_DATA_STR.UC_IN_EEPROM 


(Array_0f_Words 

:  in 

CMDS.TYPES .  APP_MSG_Oirr_TYPE ; 

Data_Struc_ID 

:  in 

INTEGER: 

Data_Struc_Length 

:  in 

INTEGER) : 

end  EEPROM.DATA; 


—SDVS  delete  (with):  with  GLOBAL_TYPES ; 
package  TRKING_DATA_STRUC  is 

—  This  package  defines  types  to  support  data  structures  specified  in  the 

—  TP/CP  IDS.  The  following  table  is  a  list  of  the  data  structure  message 

—  IDs  and  associated  name. 


1  Beacon  alignment  first  object 

2  Beacon  alignment  second  object 

3  UVISI  alignment  visible  NFOV  imager 

4  UVISI  alignment  visible  WFOV  imager 

5  UVISI  alignment  UV  NFOV  imager 

6  UVISI  alignment  UV  WFOV  imager 

7  QSDP  alignment 

8  Initied  Covariance 

9  Covariance  Q-ing 

—  10  AP  propagation  time 

11  Filter  lag  time 


—  12 

Beacon  receiver 

measurement 

noise 

for  frequency  #  1 

—  13 

Beacon  receiver 

measurement 

noise 

for  frequency  #  2 

—  14 

UVISI 

measurement 

noise 

visible 

NFOV 

imager 

—  15 

UVISI 

measurement 

noise 

visible 

WFOV 

imager 

—  16 

UVISI 

measurement 

noise 

UV 

NFOV 

imager 

—  17 

UVISI 

measurement 

noise 

UV 

WFOV 

imager 

—  18 

OSDP 

measurement 

noise 

19  UVISI  data  association  processing  parameters 

—  20  Roll  angle  bias 

—  21  Sensor  data  priority 

22  Filter  loss  of  track  rules 
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—  23  Sensor  data  acceptance  threshold 

24  UVISI  4  Hz  Status 

—  25  UVISI  4  Hz  angle  threshold 

—  26  Priority  level  loss  of  track  switch  times 

—  27  Raw  data  alpha  -  beta  filter 

—  28  Year 

—  29  Roll  Law  Reference  Vector 

—  50  Event  time/selection 

—  51  Y-Z  offset 

—  52  Event  stage  times 

—  53  Stage  1  polynomial  coefficients 

—  54  Stage  2  polynomial  coefficients 

—  55  Stage  1  sinusoidal  curve  fit  coefficients 

—  56  Stage  2  sinusoidal  curve  fit  coefficients 

—  57  Satellite  parcimeters 

—  58  Lat.,  Long.,  Alt.,  coefficients 

—  59  Az.,  ft  tangent  height  coefficients 

—  60  ECI  vector 

—  61  Az  ft  EL  coefficients 

—  62  Beacon  frequencies 

—  63  Attitude  Quaternions  and  rates 

—  64  Attitude  Quaternions  -  zero  rates 

—  65  Object  Deployment  Parameters 

—  66  Time  reference  scan  parameters 

—  67  Geometric  scan  paramters 

—  80  Change  event  stop  time 

—  81  Change  sensor  selection 

—  82  Change  pointing  selection 

—  83  New  roll  law  selection  number 

—  84  Filter  UVISI  enable/disable 

—  85  Change  UVISI  data  association  algorithm  to  use 

—  86  Change  stage  1  time 

—  87  Change  stage  2  time 

—  88  Change  current  event  Y-Z  offset 

—  89  New  beacon  frequency 

—  90  Beacon  object  number  to  switch  to 

—  91  Change  attitude  quaternion  and  rates  for  current  event 

—  92  Change  attitude  quaternion  only  -  zero  rates  for  current  event 

—  93  Turn  time  filtering  on/off 


Ninii_Data_Struc  :  constant  INTEGER  :=  109; 

—  This  table  lists  the  mmber  of  words  in  the  message  for 

—  a  data  structure  load  message.  The  data  structure  ID  is  used  as  an 

—  index  into  the  table.  ID  1  thru  49  are  reserved  for  current/futrue 

—  event,  50  thru  79  are  reserved  for  next  event  and  80  thru  109  are 

—  are  reserved  for  current  data  structures. 

—  This  table  is  used  by  APP.HSGS,  ARRAY_QF_BL0CKS,  and  TRKING.P ARAMS . 

type  W0RDS_F0R_DATA_STRUC_TYPE  is  array  (1 . .Num_Data_Struc)  of  integer; 
Words_For_Data_Struc  :  constant  H0RDS_F0R_DATA_STRUC_TYPE  := 
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(20, 

20, 

20, 

20, 

20. 

20. 

20, 

14. 

14, 

04, 

04, 

06, 

06, 

04, 

04, 

04, 

04, 

04, 

11. 

04, 

04, 

03. 

06, 

03, 

05, 

05, 

06, 

03, 

08. 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

15, 

06, 

08, 

57, 

57. 

78. 

78, 

19. 

08, 

06, 

09, 

06, 

07. 

16, 

10, 

11. 

11, 

22, 

00, 

00, 

00, 

00. 

00, 

00, 

00, 

00, 

00, 

00, 

00. 

00, 

05, 

03, 

03, 

03, 

03, 

03, 

05, 

05, 

06, 

05, 

03, 

16. 

10, 

03, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00); 

end  TRKING_DATA_STRUC; 


TH_DATA.ADS 


—  TYPE:  Package  Specification 

—  PURPOSE:  This  buffer  package  stores  nen  telemetry  data, 

such  as  system  errors,  pointing  or  tracking  data 

—  for  the  last  half  second,  UVISI  gate  results  and 
the  last  transmitted  AP  and  Broadcast  messages. 

"Document  something  about  command-out  coimter." 

The  buffered  data  is  then  retrieved  by  TH. COLLECT, 

—  once  a  second,  for  reporting  in  housekeeping 

—  telemetry. 

—  EXCEPTIONS: 

—  NOTES:  This  package  is  expected  to  be  in  the  same  Address 

State  as  TM.  Sys-Error-Buff er  is  a  package  level 
variable  and  passed  by  reference. 


package  TM_DATA  is 


—  MANAGE  TASK  TYPE 

— SDVS  delete  (task) :  task  type  MAHAGE_TYPE  is 

— SDVS  delete  (task) :  entry  REPORT_SYSTEH_ERROR(Sys_Error_Code  : 

—SDVS  in  GLOBAL_TYPES.BYTE) 
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— SDVS  delete  (task):  end  MANAGE.TYPE; 

— SDVS  delete  (task):  for  MANAGE_TYPE ’storage_size  use  300  ; 
—SDVS  delete  (task):  MANAGE  :  MANAGE.TYPE; 


package  MANAGE  is  — SDVS  replacement 

procedure  REPORT_SYSTEM_ERROR(Sys_Error_Code  : 

in  GLOB AL_ TYPES. BYTE) ;  — SDVS  replacement 

end  MANAGE;  — SDVS  replacement 
end  TM_DATA; 


—  $users: [na.adacode.bld2.1ongload.ds]app_msgs.ads 


APP_MSGS.ADS 


—  TYPE:  Package  Specification 

—  PURPOSE  :  This  package  contains  software  to  build  and 

process  the  application  messages  for  the  serial  digital 
commands  buffered  by  SERIAL_DIG_CMDS. 

This  package  consists  of  following  tasks  and  external 
procedures  and  function: 

I.  BUILD  (This  task  runs  at  a  2  Hz  rate.) 

II.  PR0CESS_MSG  (This  task  runs  without  any  delay  but  pends  at  the 

guarded  entry  MANAGE. HSG_RETRIEVAL.RET_NEXT_MSG.) 

III.  MANAGE_MSG_RETRIEVAL  (This  task  rendezvous  with  PR0CESS_HSG  when 

the  application  message  count  is  greater 
than  zero . ) 

IV.  Other  Procedures  or  Functions 

A.  NEW_TM_DATA 

B.  RET_LATEST_CHDS 

C.  RET_INIT_CMD_LAST_APP_MSG 

—  EXCEPTIONS: 

—  NOTES: 

—  CHANGE  HISTORY: 

10/16/91  B.  Na 


Initicil  Version 


ma/dd/yy  B.  Na 


Build  2  Changes 


— SDVS  delete  (with);  with  SERIAL_DIG_CMDS ; 

— SDVS  delete  (uith) :  with  GLQBAL.TYPES ; 

package  APP_MSGS  is 

Max_NuM_Latest_Cmds  :  constant  INTEGER  :=  40; 

type  LATEST_CMD_BUF_TYPE  is  array  (1 .  .Max_NuiD_Latest_Cads)  of 

Serial_Dig_Cmds .  CBid_Bytes_Type ; 

type  LATEST_STA'nJS_BUF_TYPE  is  array  (1 .  .Max_NuBi_Latest_Cmds)  of 

INTEGER; 

type  LATEST. CMD.TM.TYPE  is  record 

Cmd.Buf  ;  LATEST_CMD_BUF_TYPE; 

Status_Buf  :  LATEST_STATUS_BUF_TYPE; 

Fresh_Cmd_Count  :  INTEGER; 

Cad.Total  :  INTEGER; 

I0_Status_Word  ;  GLQBAL.TYPES. WORD; 

Rejected.Cmd.Count  :  INTEGER; 

FIFO. Hot .Eapty.Count  :  INTEGER; 

Saved.Sat.Subsys.Conf ig  :  GLOB AL.TYPES . WORD ; 
end  record; 

type  LAST.APP.MSG.TM.TYPE  is  record 

Start ing.Cad  :  SERI AL.DIG. CMOS. CMD.BYTES.TYPE; 

Cad.Total  :  INTEGER; 

lO.Status.Word  ;  GLOB AL.TYPES. WORD; 

Rejected.Cad.Count  :  INTEGER; 

FIFO.Not .Eapty.Count  :  INTEGER; 

Saved.Sat.Subsys.Conf ig  :  GLQBAL.TYPES. WORD; 

end  record; 

—  function/procedure  specifications 
— SDVS  coaaent:  The  function  and  two  procedures  that  follow  are  never 
— SDVS  comment:  called  in  this  target  code.  They  are 

— SDVS  coament:  called  by  TM. COLLECT  for  telemetry  reports  on  the  system. 

— SDVS  delete:  function  NEW.TM.DATA  return  BOOLEAN; 

— SDVS  delete:  procedure  RET.LATEST.CHDS  (Latest. Cmd.TH  : 

—SDVS  delete:  out  LATEST.CMD.TM.TYPE)  ; 

—SDVS  delete:  procedure  RET.INIT.CMD.LAST.APP.HSG 

—SDVS  delete:  (Last.App.Msg.TM  :  out  LAST.APP.MSG.TM.TYPE)  ; 

— SDVS  comment :  The  three  procedures  below  were  originally  tasks  and  did 
— SDVS  coament:  not  appear  in  the  visible  part  of  the  package  APP.MSGS. 

— SDVS  comment :  We  have  to  include  them  in  the  visible  part 

— SDVS  comment :  of  this  package  because  they  will  be  called  by  the  main  program . 

procedure  BUILD;  — SDVS  replace:  Replaces  task  declaration  type  in  body  of  APP.MSGS. 
procedure  MANAGE.MSG.RETRIEVAL(App.Msg.Out  :  out  CMDS.TYPES . APP.MSG.OUT.TYPE) ; 
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—  SDVS  replace:  Replaces  task  declaration  type  in  body  of  APP_MSGS. 

procedure  PROCESS_HSG;  — SDVS  replace:  Replaces  task  declaration  type 
—SDVS  in  body  of  APP_MSGS. 

— SDVS  comment :  The  function  RET_MSG_LENGTH  returns  the  length  of  the  next  block 
— SDVS  comment:  of  commands  in  the  input  based  on  the  message  identifier.  We 
— SDVS  comment:  added  it  for  the  scheduler. 

function  RET.MSG_LENGTH(Msg_Id:  GLOB AL.TYPES. BYTE)  return  IHTEGER;  —SDVS  add 
end  APP.MSGS; 


—SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS 
—SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS 
—SDVS  comment:  BEGINNING  OF  BODY  DECLARATIONS 

—SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS 
—SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS 


—SDVS 

delete 

(1750A): 

MODULE  ASM.UTILITY 

—SDVS 

delete 

(1750A) : 

* 

Routines  in  this  module  ! 

—SDVS 

delete 

(1750A): 

DEFINE 

CHECK.PARITY 

*  perform  odd-parity  check  on 

—SDVS 

delete 

(1750A): 

*  Cmd.Bytes.Type . 

—SDVS 

delete 

(1750A): 

—SDVS 

delete 

(1750A): 

USRCQDE 

CSECT.I 

—SDVS 

delete 

(1750A): 

—SDVS 

delete 

(1750A): 

« 

—SDVS 

delete 

(1750A): 

♦ 

Function  Check_Parity  (Address  :  in  SYSTEM. ADDRESS) 

—SDVS 

delete 

(1750A): 

* 

return  BOOLEAN 

—SDVS 

delete 

(1750A): 

♦ 

1. 

Read  4  words  stored  starting  at  Address. 

—SDVS 

delete 

(1750A): 

* 

2. 

Count  the  number  of 

i’s  in  the  lower  bytes 

—SDVS 

delete 

(1750A) : 

* 

(bit  8  thru  15)  of 

words . 

—SDVS 

delete 

(1750A): 

* 

3. 

If  odd  number  of  1'; 

s,  then  return  1  (True). 

—SDVS 

delete 

(1750A): 

♦ 

Otherwise,  return  0 

(False) . 

—SDVS 

delete 

(1750A): 

—SDVS 

delete 

(1750A): 

—SDVS 

delete 

(1750A): 

CHECK.PARITY  EQU  $ 

—SDVS 

delete 

(1750A): 

* 

—SDVS 

delete 

(1750A): 

♦ 

Get  the  Parameters  off  the 

stack 

—SDVS 

delete 

(1750A): 

* 

SP  = 

>  "Address" 

—SDVS 

delete 

(1750A): 

—SDVS 

delete 

(1750A): 

L 

R4,0,R15 

*  get  the  parameter  (Address)  of 

—SDVS 

delete 

(1750A): 

*  Cmd.Bytes.Type  off  the  stack 

—SDVS 

delete 

(1750A): 

PSHH 

R4,R6 

*  save  R4  thru  R6 

—SDVS 

delete 

(1750A): 

SR 

R2,R2 

♦  R2  <-  init  num.of.l’s  in 

—SDVS 

delete 

(1750A): 

*  Cmd.Bytes.Type  data 

—SDVS 

delete 

(1750A) : 

LIM 

R6,4 

♦  Cmd.Bytes.Type  data  occupies 

—SDVS 

delete 

(1750A): 

*  4  words 

—SDVS 

delete 

(1750A): 

BITWORD 

EQU  $ 

—SDVS 

delete 

(1750A): 

LIM 

R3,8 

*  interested  in  only 

—SDVS 

delete 

(1750A): 

lower  8  bits 
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—SDVS 

delete 

(1750A): 

L 

R5,0,R4 

* 

get  the  cmd  byte  stored 

—SDVS 

delete 

(1750A): 

* 

in  bit  8  thru  15 

—SDVS 

delete 

(1750A):  BITCHEK 

EQU 

$ 

—SDVS 

delete 

(1750A): 

TBR 

8,R5 

* 

if  bit  8  is  0 

—SDVS 

delete 

(1750A): 

JC 

2, BITZERO 

* 

skip  incrementing  num.of.l’s 

—SDVS 

delete 

(1750A): 

* 

else 

—SDVS 

delete 

(1750A): 

AIM 

R2,l 

* 

increment  niun.of.l’s 

—SDVS 

delete 

(1750A):  BITZERO 

EQU 

$ 

—SDVS 

delete 

(1750A): 

SLL 

R5,l 

* 

shift  logical  left  once 

—SDVS 

delete 

(1750A): 

SOJ 

R3, BITCHEK 

♦ 

repeat  for  8  bits 

—SDVS 

delete 

(1750A): 

AIM 

R4,l 

* 

get  the  next  word 

—SDVS 

delete 

(1750A): 

SOJ 

R6.BITWQRD 

* 

repeat  for  4  words 

—SDVS 

delete 

(1750A): 

—SDVS 

delete 

(1750A): 

ANDM 

R2,HEX(0001) 

* 

we  only  care  whether  odd 

—SDVS 

delete 

(1750A): 

* 

or  even  number  of  1 ’ s 

—SDVS 

delete 

(1750A): 

POPM 

R4,R6 

♦ 

restore  R4  thru  R6 

—SDVS 

delete 

(1750A); 

LR 

R3,R0 

—SDVS 

delete 

(1750A):  ♦  note:  JC  uses  an  index  register 

which  is  R1...R15  (i.e.  not  RO) 

—SDVS 

delete 

(1750A): 

JC 

7,0,R3 

*  GOTO  RETURN  ADDRESS 

—SDVS 

delete 

(1750A):  * 

—SDVS 

delete 

(1750A);  *  THATS  ALL 

FOLKS 

—SDVS 

delete 

(1750A):  * 

—SDVS 

delete 

(1750A):  ♦  ITS  assembler  doesn 

’t  predefine 

RC 

1.  .R15 

—SDVS 

delete 

(1750A):  ♦ 

—SDVS 

delete 

(1750A):  RO 

EQU 

0 

—SDVS 

delete 

(1750A);  R1 

Equ 

1 

—SDVS 

delete 

(1750A):  R2 

EQU 

2 

—SDVS 

delete 

(1750A):  R3 

EQU 

3 

—SDVS 

delete 

(1750A):  R4 

EQU 

4 

—SDVS 

delete 

(1750A);  R5 

EQU 

5 

—SDVS 

delete 

(1750A):  R6 

EQU 

6 

—SDVS 

delete 

(1750A):  R7 

EQU 

7 

—SDVS 

delete 

(1750A):  R8 

EQU 

8 

—SDVS 

delete 

(1750A):  R9 

EQU 

9 

—SDVS 

delete 

(1750A);  RIO 

EQU 

10 

—SDVS 

delete 

(1750A):  Rll 

EQU 

11 

—SDVS 

delete 

(1750A):  R12 

EQU 

12 

—SDVS 

delete 

(1750A):  R13 

EQU 

13 

—SDVS 

delete 

(1750A):  R14 

EQU 

14 

—SDVS 

delete 

(1750A):  R15 

EQU 

15 

—SDVS 

delete 

(1750A):  ALL 

EQU 

7 

—SDVS 

delete 

(1750A): 

END 

package  body  ASM_UTILITY  is  — SDVS  add 

function  CHECK.PARITY  return  BOOLEAN  is  —SDVS  add 
begin  — SDVS  add 
retiim  true;  — SDVS  add 
end  CHECK.PARITY;  —SDVS  add 

end  ASM.UTILITY;  —SDVS  add 


INTRIHSIC.FUNCTIONS . ADS 
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—  TYPE:  Package  Specification 

—  PURPOSE  :  this  package  instantiates  the  Tartan  intrinsic  functions  to 

—  perform  XID  functions  and  bit  operations. 

—  EXCEPTIONS: 

—  NOTES: 

—  CHANGE  HISTORY 


—  02/14/92 

R.  Pham 

Initial  Version 

—  02/28/92 

R.  Pham 

Instantiate  Shift  fmictions  using  UNSIGNED.WORD  as 

— 

result  type 

—  03/02/92 

R.  Pham 

Instantiate  functions  using  UNSIGNED.BYTE 

—  03/05/92 

S.  Hutton 

Modified  for  tracking  processor 

— SDVS 
— SDVS 
—SDVS 
—SDVS 
—SDVS 
—SDVS 
—SDVS 
—SDVS 


comment : 
comment : 
comment : 
comment : 
comment : 
comment : 
comment : 
comment : 


This  package  instantiates  generic  functions  from  the  Tartcui 
supplied  INTRISICS  package.  The  functions  perform  bit 
mauiipulations.  We  needed  only  a  feo  of  the  instantiated 
functions.  To  compile  and  execute  the  code  oith  the 
Verdix  compiler  at  Aerospace,  we  supplied  Ada  code  for 
the  functions  we  needed.  In  the  final  SDVS  proofs,  this 
code  was  not  used:  we  used  adalemmas  to  characterize 
their  behavior.  These  adalemmas  were  not  proved. 


—SDVS  delete  (with):  with  GLOBAL.TYPES ; 

—SDVS  delete  (with):  with  INTRINSICS;  use  INTRINSICS; 


package  INTRINSIC.FUNCTIONS  is 


—SDVS  delete: 
—SDVS  delete: 
—SDVS  delete: 
function  AND 


function  AND_I  is  new  ANDi  (INTEGER, 

INTEGER, 

INTEGER) ; 

_I(X,  Y:  INTEGER)  return  INTEGER;  — SDVS  replace  above  declaration 


— SDVS  comment:  Needed  for  masking  in  PROCESS_MSG_TYPE . 

—SDVS  delete:  function  AND_W0RD  is  new  ANDi  (GLGBAL.TYPES.WORD, 

—SDVS  delete:  GLOB AL.TYPES. WORD, 

—SDVS  delete:  GLOBAL.TYPES  .WORD)  ; 

function  AND_WDRD(X,  Y:  GLOB AL.TYPES. WORD)  return  GLOBAL.TYPES . WORD ;  —SDVS  replace 


—  The  comment  in  the  spec  says  16  or  32-bit  logical  and.  The  comment  is 

—  not  next  to  the  operand  or  result  type.  Thus,  bytes  can  be  used  and  the 

—  system  will  generate  correct  code. 

— SDVS  comment :  Needed  for  masking  in  Build_Type  (only  use  in  the  code) . 

—SDVS  delete:  function  AND.BYTE  is  new  ANDi  (GLOBAL.TYPES .BYTE, 

—SDVS  delete:  GLOBAL.TYPES  .BYTE, 

—SDVS  delete:  GLOBAL.TYPES  .BYTE)  ; 

function  AND.BYTE(X,  Y:  GLOBAL.TYPES. BYTE) 

return  GLOBAL.TYPES .  BYTE ;  —SDVS  replace 
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—  "or"  is  a  reserved  word. 

— SDVS  delete:  function  0R_I  is  new  ORi  (INTEGER, 

— SDVS  delete:  INTEGER, 

—SDVS  delete:  INTEGER); 

function  0R_I(X,  Y:  INTEGER)  return  INTEGER;— SDVS  replace 


— SDVS  delete:  function  0R_W0RD  is  new  ORi  (GLQBAL_TYPES.¥ORD, 

—SDVS  delete:  GLQBAL.TYPES .WORD, 

—SDVS  delete:  GLOB AL_TYPES  .WORD)  ; 

function  0R_W0RD(X,  Y:  GLOBAL_TYPES .WORD) 

return  GLOBAL_TYPES . WORD ;  — SDVS  replace 


— SDVS  delete:  function  XOR.WORD  is  new  XORi 

— SDVS  delete: 

— SDVS  delete: 

function  XOR_WORD(X,  Y:  GLOB AL.TYPES. WORD) 


(GLDBAL_TYPES.WORD, 
GLOB AL.TYPES. WORD, 
GLOBAL.TYPES.WORD); 


return  GLOB AL_TYPES. WORD;  — SDVS  replace 


—  16-bit  shift  logical.  For  shift  logical  count  in  register,  if  |N|>16, 

—  the  fixed  point  overflow  occurs. 

—SDVS  delete:  function  SHIFT.LOGI CAL. WORD  is  new  SL  (GLOBAL.TYPES.WORD, 
—SDVS  delete:  GLOBAL.TYPES.WORD): 

function  SHIFT.LOGICAL.WORD(X:  GLOBAL.TYPES.WORD;  Y:  INTEGER) 

return  GLOBAL.TYPES.WORD;  —SDVS  replace 


end  INTRINSIC.FUHCTIQNS ; 


— SDVS  conMent:  We  wrote  code  for  the  functions  in  the  INTRINSIC.FUHCTIDNS 
— SDVS  coiunent :  package  below  to  test  the  target  software  on  the  Verdix 
— SDVS  comment:  compiler.  Our  proofs  do  not  use  the  code.  We  characterized 
— SDVS  comment:  these  functions  by  adalemmas  for  the  code, 
package  body  INTRINSIC.FUNCTIONS  is  —SDVS  add 

use  GLOBAL.TYPES;  —SDVS  add 

function  AND.I  (X,  Y:  INTEGER)  return  INTEGER  is  —SDVS  add 
TEMPX,  TEMPY,  RET:  INTEGER;  —SDVS  add 
POWER:  INTEGER;  —SDVS  add 
begin  — SDVS  add 

TEMPX  :=  X;  —SDVS  add 
TEMPY  :=  Y;  —SDVS  add 
RET  ;=  0;  —SDVS  add 
POWER  :=  0;  —SDVS  add 

while  (TEMPX  /=  0)  or  (TEMPY  /=  0)  loop  —SDVS  add 
RET  :  = 

RET  +  ((TEMPY  mod  2)*(TEHPX  nod  2))*(2  POWER);  —SDVS  add 
TEMPX  :=  TEMPX  /  2;  TEMPY  :=  TEMPY  /  2;  —SDVS  add 
POWER  :=  POWER  +  1;  —SDVS  add 
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end  loop;  — SDVS  add 
retiirn  RET ;  — SDVS  add 
end  AND.I;  —SDVS  add 

function  AND_W0RD  (X,  Y:  GLOB AL.TYPES. WORD) 

return  GLDBAL.TYPES  .WORD  is  —SDVS  add 
TEMPX,  TEMPY,  RET:  GLOB AL_TYPES. WORD;  —SDVS  add 
POWER;  GLOB AL_TYPES. WORD;  —SDVS  add 
begin  — SDVS  add 

TEMPX  :=  X;  —SDVS  add 
TEMPY  :=  Y;  —SDVS  add 
RET  :=  0;  —SDVS  add 
POWER  :=  0;  —SDVS  add 

ohile  (TEMPX  /=  0)  or  (TEMPY  /=  0)  loop  —SDVS  add 
RET  ;  = 

RET  +  ((TEMPY  mod  2)*(TEMPX  mod  2))* (2  ♦*  POWER);  —SDVS  add 
TEMPX  :=  TEMPX  /  2;  TEMPY  :=  TEMPY  /  2;  —SDVS  add 
POWER  :=  POWER  +  1;  —SDVS  add 
end  loop;  — SDVS  add 
return  RET ;  — SDVS  add 
end  AND.WORD;  —SDVS  add 

function  AND.BYTE  (X,  Y:  GLOB AL_TYPES .BYTE) 

return  GLOBAL.TYPES  .BYTE  is  —SDVS  add 
TEMPX,  TEMPY,  RET:  GLOBAL.TYPES.BYTE;  —SDVS  add 
POWER:  GLOB AL.TYPES. BYTE;  —SDVS  add 
begin  — SDVS  add 

TEMPX  :=  X;  —SDVS  add 
TEMPY  :=  Y;  —SDVS  add 
RET  :=  0;  —SDVS  add 
POWER  :=  0;  —SDVS  add 

while  (TEMPX  /=  0)  or  (TEMPY  /=  0)  loop  —SDVS  add 
RET  :  = 

RET  +  ((TEMPY  mod  2)* (TEMPX  mod  2))* (2  **  POWER);  —SDVS  add 
TEMPX  :=  TEMPX  /  2;  TEMPY  :=  TEMPY  /  2;  —SDVS  add 
POWER  :=  POWER  +  1;  —SDVS  add 
end  loop;  — SDVS  add 
return  RET ;  — SDVS  add 
end  AND.BYTE;  —SDVS  add 

function  0R_I  (X,  Y:  INTEGER)  return  INTEGER  is  —SDVS  add 
TEMPX,  TEMPY,  RET:  INTEGER;  —SDVS  add 
POWER:  INTEGER;  —SDVS  add 
begin  — SDVS  add 

TEMPX  ;=  X;  —SDVS  add 
TEMPY  :=  Y;  —SDVS  add 
RET  :=  0;  —SDVS  add 
POWER  :=  0;  —SDVS  add 

while  (TEMPX  /=  0)  or  (TEMPY  /=  0)  loop  —SDVS  add 

RET  :=  RET  +  (TEMPX  mod  2  +  TEMPY  mod  2  -  —SDVS  add 
((TEMPY  mod  2)*(TEMPX  mod  2)))*(2  **  POWER);  —SDVS  add 
TEMPX  :=  TEMPX  /  2;  TEMPY  :=  TEMPY  /  2;  —SDVS  add 
POWER  :=  POWER  +  1;  —SDVS  add 
end  loop;  — SDVS  add 
RETURN  RET;  —SDVS  add 
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end  DR_I;  — SDVS  add 


function  0R_W0RD  (X,  Y:  GLOB AL.TYPES .WORD) 

return  GLOB AL_TYPES  .WORD  is  —SDVS  add 
TEMPX,  TEMPY,  RET:  GLOBAL_TYPES . WORD ;  —SDVS  add 
POWER:  GLOBAL, TYPES. WORD;  —SDVS  add 
begin  — SDVS  add 

TEMPX  :=  X;  —SDVS  add 
TEMPY  :=  Y;  —SDVS  add 
RET  :=  0;  —SDVS  add 
POWER  :=  0;  —SDVS  add 

ffhile  (TEMPX  /=  0)  or  (TEMPY  /=  0)  loop  —SDVS  add 
RET  :=  RET  +  (TEMPX  nod  2  +  TEMPY  nod  2  -  —SDVS  add 

((TEMPY  mod  2)* (TEMPX  mod  2)))*(2  **  POWER);  —SDVS  add 
TEMPX  :=  TEMPX  /  2;  TEMPY  :=  TEMPY  /  2;  —SDVS  add 
POWER  :=  POWER  +  1;  —SDVS  add 
end  loop;  — SDVS  add 
RETURN  RET;  —SDVS  add 
end  0R_W0RD;  —SDVS  add 

function  SHIFT_LOGICAL_WORD  (X:  GLOBAL_TYPES . WORD ;  Y:  INTEGER) 

return  GLOBAL.TYPES .  WORD  is  —SDVS  add 
TEMPX :GLOBAL_TYPES. WORD;  —SDVS  add 
begin  — SDVS  add 
TEMPX  :=  X;  —SDVS  add 
if  Y  >=  0  then  —SDVS  add 

for  I  in  1..Y  loop  — SDVS  add 

if  TEMPX  >=  32768  then  TEMPX  :=  TEMPX  -  32768;  —SDVS  add 
end  if ;  — SDVS  add 
TEMPX  :=  TEMPX*2;  —SDVS  add 
end  loop;  — SDVS  add 
return  TEMPX;  —SDVS  add 
else  — SDVS  add 

for  I  in  1 .  .  (-Y)  loop  —SDVS  add 
TEMPX  :=  TEMPX  /  2;  —SDVS  add 
end  loop;  — SDVS  add 
return  TEMPX;  — SDVS  add 
end  if;  —SDVS  add 

end  SHIFT_LOGICAL_WORD;  —SDVS  add 

function  X0R_W0RD  (X,  Y:  GLOB AL.TYPES. WORD) 

return  GLOBAL.TYPES . WORD  is  —SDVS  add 
TEMPX,  TEMPY,  RET:  GLOB AL.TYPES. WORD;  —SDVS  add 
POWER:  GLOBAL_TYPES.WORD;  —SDVS  add 
begin  — SDVS  add 

TEMPX  :=  X;  —SDVS  add 
TEMPY  :=  Y;  —SDVS  add 
RET  :=  0;  —SDVS  add 
POWER  :=  0;  —SDVS  add 

while  (TEMPX  /=  0)  or  (TEMPY  /=  0)  loop  —SDVS  add 
RET  :=  RET  +  (TEMPX  mod  2  +  TEMPY  mod  2  -  —SDVS  add 

((TEMPY  mod  2)*(TEHPX  mod  2)))*(2  **  POWER);  —SDVS  add 
TEMPX  :=  TEMPX  /  2;  TEMPY  :=  TEMPY  /  2;  —SDVS  add 
POWER  :=  POWER  +  1;  —SDVS  add 
end  loop;  — SDVS  add 
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RETURN  RET;  —SDVS  add 
end  XDR_WORD;  —SDVS  add 

end  INTRINSIC.FUNCTIONS ;  —SDVS  add 


— Susers : [na.adacode .bld2 .longload.ds. chg]serial_dig_cmds . adb 


SERIAL_DIG_CMDS . ADB 


—  TYPE:  Package  Body 

—  PURPOSE  :  This  package  contains  software  to  support  the 

interface  with  the  serial  digital  command  system. 

The  hierachy  of  subprograms  in  this  package  is 
as  follows: 

I.  RET_CMD_CGUNT  (Called  by  the  task  APP_MSGS .BUILD) 

II.  RET_CMD_BUP_AND_STATUS  (Called  by  the  task  APP.MSGS .BUILD 
when  the  command  count  is  >  0) 

III.  CMD_IN_HANDLER  (This  is  the  standard  interrupt  handler  for 
the  short  data  command  interrupt.  When  a  short  data 
command  interrupt  occures,  control  is  vectored  to 
TP_STD_INT.PROC_SERVICE_SETUP,  in  turn 

TP_STD_INT_PROC_SERVICE_SETUP  calls  this  routine  to  service 
the  interrupt.) 

A . ASM.UTILITY . CHECK .PARITY 

—  EXCEPTIONS: 

—  NOTES: 

—  CHANGE  HISTORY: 

10/16/91  B.  Na  Initial  Version 

yy/mm/dd  B.  Na  Build  2  Chcinges 


—SDVS  delete  (with):  with  GLOBAL.TYPES ; 

—SDVS  delete  (with):  with  ARTCLIENT; 

—SDVS  delete  (with) :  with  UHCHECKED.CONVERSION; 
—SDVS  delete  (with):  with  INTRINSIC.FUNCTIOHS; 
use  INTRINSIC.FUNCTIONS ; 

—SDVS  delete  (with) :  with  MEMORY.HANAGER; 

—SDVS  delete  (with):  with  ASM.UTILITY; 


package  body  SERIAL_DIG_CMDS  is 

—  Holds  the  commands  read  from  the  FIFO  and  not  yet  retrieved  by 

—  APP.MSGS. BUILD.  Filled  with  the  commands  as  they  received  by 

—  CMD_IN_HANDLER.  Cmd.Count  is  used  as  an  index  into  the  buffer. 

—  If  Cmd.Count  =  N,  the  following  depicts  the  command  buffer. 
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—  (1) 


—  (2) 


--  (3) 


First  Byte 

1 

Second  Byte 

Third  Byte 

1 

Fourth  Byte 

First  Byte 

1 

Second  Byte 

Third  Byte 

1 

Fourth  Byte 

First  Byte 

1 

Second  Byte 

1 

Third  Byte 

1 

Fourth  Byte 

1 

Coanemd  1 


Coimand  2 


Comaand  3 


First  Byte 

1  Second  Byte 

1 

Third  Byte 

1  Fourth  Byte 

- + - 

1  OuMHidiiQ 

1 

- + 

—  (70)  I - + 

I  I 

+ - +. 

Cmd.Buf  :  CMD_BUF_TYPE ; 

—  Holds  the  command  statuses  that  are  not  yet  retrieved  by 

—  APP_HSGS .BUILD.  Cmd_Count  is  used  as  an  index  into  the  buffer. 

—  If  Cmd_Count  =  N,  the  following  depicts  the  status  buffer. 


+ - + 

(1)  1  Command  1  Status  I 

+ - ^ 

(2)  I  Command  2  Status  I 

+ - + 

(3)  I  Command  3  Status  I 

+ - + 


(M)  I  Command  K  Status  I 

+ - + 


I  I 

+ - + 

—  (70)  I  I 

+ - + 


Cmd_Status_Buf  :  CMD_STATUS_BUP_TYPE; 

—  The  following  command  status  values  are  possible  while  the 

—  commands  are  being  received  and  buffered  by  SERIAL_DIG_CMDS : 
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Ciiid_GK  =  0, 

CiBd_Bad_Pari'ty  =  7 , 

CBid_Lost  =  8, 

Cad_FIFO_Not_Empty  =  16 

Cmd_FIFO_No't_Empty  and  Ciid_Bad_Parity  =16  +  7 
Cmd.Lost  and  Cmd_Bad_Parity  =8+7 

—  Cmd_Lost  is  allowed  only  for  the  last  (70th)  command  in  the 

—  buffer. 

Cmd.Status  :  INTEGER; 

—  Indicates  that  the  new  command  read  is  not  stored  in  the  buffer  (lost) 

—  because  the  buffer  is  already  full. 

Lost.Cmd  :  BOOLEAN  :=  False; 

Cmd_Count  :  INTEGER  :=  0;  —  Used  as  the  index  into  Cmd_Buf. 

FIFO_Not_Empty_Count  :  INTEGER  :=  0;  —  Running  total  of  FIFO  not  empty 

—  condition. 


—  io  status  type  is  an  array  1. .16  of  boolean. 

—  Spacecraft  10  #  1  Status  Bit  Map 

Bit  0  -  Housekeep  TLH  FIFO  empty  flag,  0  =  empty 

Bit  1  -  Housekeep  TLM  FIFO  full  flag,  0  =  empty 

Bit  2  -  Memory  Dump  FIFO  empty  flag,  0  =  empty 

Bit  3  -  Memory  Dump  FIFO  full  flag,  0  =  empty 

Bit  4  -  Universal  TimeFIFO  empty  flag,  0  =  empty 

Bit  5  -  Universal  Time  Mode  Status,  0=internal,  l=normal 

Bit  6  -  Data  Cmd  FIFO  empty  flag,  0  =  empty 

Bit  7  -  Data  Cmd  FIFO  full  flag,  0  =  empty 


I0_Status_Bits  :  GLOBAL.TYPES . I0_STATUS_TYPE; 

IO_Status_Word  :  GLOBAL.TYPES . WORD ; 


—  Procedures 

—SDVS 

comment : 

—SDVS 

comment ; 

—SDVS 

delete: 

—SDVS 

delete: 

—SDVS 

delete: 

—SDVS 

delete: 

—SDVS 

comment : 

—SDVS 

comment : 

—SDVS 

comment : 

check. 

function  CONV_WORD_TD.BIT_ARRAY  is  new 
UNCHECKED.CONVERSION 

(SOURCE  =>  GLOBAL.TYPES.WORD, 

TARGET  =>  GLOBAL_TYPES.IO_STATUS_TYPE) ; 


function  RET_MSG_ID  return  GLOBAL.TYPES .BYTE  is  — SDVS  add 
begin  — SDVS  add 

return  Cmd_Buf (1) .Third_Byte;  — SDVS  add 
end  RET_MSG_ID;  —SDVS  add 


FUNCTION  RET_CMD_COUNT 


—  PURPOSE:  This  function  retiims  the  command  count.  The 

command  count  is  read  to  see  if  the  command  buffer 
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contains  any  coimands  to  be  retrieved.  Only  called 
by  APP.MSGS. BUILD. 

—  NOTES: 

—  CHANGE  HISTORY: 

10/16/91  B.  Na  Initial  Version 


function  RET_CHD_COUNT  return  INTEGER  is 
begin 

return  SERIAL_DIG_CMDS .  CjBd.Count ; 
end  RET_CMD_COUNT; 


PROCEDURE  RET_CMD_BUF_AND_STATUS 


—  PURPOSE  :  This  procedure  provides  the  commands  and  statuses 

buffered  to  be  build  into  application  messages. 
The  commands  and  statuses  are  not  double-buffered 
Once  the  buffer  content  is  copied  to  the  output 
parameters,  it  is  re-initialized.  This  procedure 
is  called  by  APP.HSGS. BUILD. 

—  NOTES; 

—  CHANGE  HISTORY: 

10/16/91  B.  Na  Initial  Version 


procedure  RET_CMD_BUF_AND_STATUS 


(Cmd_Buf 

out 

CMD_BUF_TYPE; 

Cmd_Status_Buf 

out 

CHD_STATUS_BUF_TYPE ; 

Cmd_Count 

out 

INTEGER; 

FIFO_Not_Empty_Count 

out 

INTEGER; 

I0_Status_Word 

out 

GL0BAL_TYPES.¥0RD; 

Lost_Cmd 

out 

BOOLEAN)  is 

begin 

—  XIO  RA.DSBL  disables  int.  Programmers  should  ensiire  that 

—  exceptions  do  not  cause  calls  to  Leave_Critical_Section  to 

—  be  missed.  Refer  to  page  8-21  of  Tartan  manual. 

— SDVS  delete  (artclient) :  Artclient .Enter_Critical_Section; 

—  Copy  buffer  contents  and  counters  to  output  parameters. 
Cmd_Buf  :=  SERIAL_DIG_CMDS . Cmd_Buf ; 
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Cmd_Status_Buf 
Cmd_ Count 

FIFO_Not_Empty_Count 

IO_Status_Word 

Lost_Cmd 


SERIAL_DIG_CHDS . Cmd_Status_Buf ; 
SERIAL_DIG_CHDS . Cmd_ Count ; 
SERIAL_DIG_CMDS . FIFO_Not_Empty_Count ; 
SERIAL_DIG_CMDS . IO_Status_Word ; 

SERI AL_DIG_CMDS . Lost.Cmd ; 


—  Re-initialize  counters. 


SERIAL_DIG_CMDS . Cmd_Count  :=  0; 
SERIAL_DIG_CHDS.FIFO_Not_Empty_Count  :=  0; 
SERIAL_DIG_CHDS.Lost_Cmd  :=  False; 

—  XIO  RA.ENBL  enables  int. 

— SDVS  delete  (artclient) :  Artclient .Leave_Critical_Section; 

end  RET_CMD_BTJF_AND_STATOS; 


PROCEDURE  CMD.IN.HANDLER 


—  PURPOSE:  This  interrupt  handler  is  called  by 

TP_STD_INT_PROC.SERVICE_SETUP  ohen  a  serial 
digital  command  interrupt  occurs.  This  routine 
reads  the  command  bytes  from  the  FIFO,  checkes 
its  parity  and  reads  and  saves  the  spacecraft 
10  #1  status.  Then  the  read  commands  are  packed 
into  two  16-bit  words  and  stored  in  the  command 
buffer. 

The  serial  digital  command  FIFO  address  is  E0800  -E09FF 
(E1800  -  E19FF  . . .  E7800  -  E79FF) .  To  reset  the 
Data_Cmd_FIF0 ,  write  to  I/O  address  0230  (0230  -  0237). 
I/O  address  8200  (8200-820f)  provides  status. 

Bit  D6  (numbered  D0-D15)  is  data  cmd  FIFO  not  empty  flag 
(0  =  empty) .  Bit  D7  is  data  cmd  FIFO  not  full  flag 
(  0  =  fulK).  To  reset  the  Data  Cmd  interrupt, 
write  to  I/O  address  0228  (0228  -  022F) .  It  does  not 
matter  what  the  data  value  is. 


—  NOTES: 

—  CHANGE  HISTORY: 

10/16/91  B.  Na  Initial  Version 


procedure  CMD_IN_HANDLER  is 

—SDVS  delete  (her):  Cmd_In_FIF0_Addr  :  constant  LONG.INTEGER  :=  16#O0OEO8OO# 

Cmd_In_FIF0_Addr  :  constant  LONG.INTEGER  :=  919552;— SDVS  replace 

—  The  intrisic  INPUT_W0RD  will  add  16#8000#  before  performs 

—  XIO  to  read  from  the  input  port 
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— SDVS  delete  (hex):  IO_Status_Port  :  constant  INTEGER  :=  16#0200#; 

IO_Status_Port  :  constant  INTEGER  :=  512;— SDVS  replace 

— SDVS  delete  (hex):  Ser_Dig_Int_Port  :  constant  INTEGER  :=  16#0228#; 

Ser_Dig_Int_Port  :  constant  INTEGER  :=  552; — SDVS  replace 

— SDVS  delete  (hex):  Ser_Dig_FIFO_Reset_Port  ;  constant  INTEGER  :=  16#0230#; 

Ser_Dig_FIFO_Reset_Port  :  constant  INTEGER  :=  560; — SDVS  replace 
Data_Ciid_FIFO_Not_EMpty  :  constant  INTEGER  :=  6; 

Data_Ciiid_FIFO_Not_Full  :  constant  INTEGER  :=  7; 

—  Operate  on  4  byte  (=  32  bit)  serial  digital  conmamd. 

Ciid_Size  :  constant  INTEGER  :=  4; 

C*d_Unpacked  :  array  (1 . .C*d_Size)  of  GLOBAL_TYPES.WORD; 

Cmd  :  CMD_BYTES_TYPE;  —  4  bytes  are  packed  in  2  uords 

Good.Parity  :  BOOLEAN  :=  TRUE;  —  indicates  the  parity-check 

—  status  of  Cmd. 

begin 

—  May  want  to  move  one  byte  at  a  time  and  check  FIFO  empty  since 

—  parity  bit  is  only  a  BOX  test  if  do  not  get  all  4  bytes.  However, 

—  8085  on  S/C  I/O  #1  always  sends  4  bytes  or  none.  May  lose  some 

—  commands  but  should  not  get  spurious  ones.  Discuss  keeping  parity 

—  bit  or  changing  it  (maybe  nibble  parity  or  no  parity) . 

—  Read  4  bytes  from  cmd  in  FIFO  into  a  temporary  buffer.  The  FIFO 

—  is  only  byte  wide.  High  order  byte  is  not  used. 

Cmd.Unpacked  Format 

+ - + - + 

I  I  First  Byte  I 

+ - + - + 

I  I  Second  Byte  I 

+ - + - + 

I  I  Third  Byte  I 

+ - + - + 

I  I  Fourth  Byte  I 

+ - + - + 

— SDVS  comment:  Cmd.Unpacked  gets  a  value  by  the  call  to  MEMORY .MANAGER. READ_FIFD , 

— SDVS  comment:  which  is  written  in  1750A.  We  replaced  this  call  by  the  "for"  loop  which 
— SDVS  comment:  gets  4  bytes  from  the  input. 

—SDVS  delete  (1750A):  MEMORY_MANAGER.READ_FIFO(Cmd_In_FIFD_Addr , 

— SDVS  delete  (1750A):  Cmd.Unpacked' address, 

— SDVS  delete  (1750A):  Cmd.Size) ; 

for  i  in  1  . .  4  loop  — SDVS  replace 
get(Cmd_Unpacked(i)) ;  — SDVS  replace 
end  loop;  — SDVS  replace 

—  Initialize  command  status. 

Cmd.Status  :=  Cmd.OK; 

— SDVS  comment:  The  next  two  assignment  statements  and  the  "if"  statement  are 
— SDVS  comment :  used  to  determine  the  ID_Status_Word  and  the  FIFO_Not_Empty_Count 
— SDVS  comment:  for  the  command  just  obtained.  These  values  are  eventually  passed 
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— SDVS  comment:  to  APP_HSGS.RET_LATEST_CHDS  which  processes  the  information  for 
— SDVS  comment:  housekeeping  telemetry.  RET_LATEST_CHDS  is  never  called  in  the 
— SDVS  comment:  target  software.  For  this  reason  tind  because  the  code  below  uses 
— SDVS  comment:  intrinsic  functions  (supplied  for  the  Tartan  compiler  only), 

— SDVS  comment :  we  have  deleted  the  assignment  statements  and 

— SDVS  comment:  the  "if"  statement.  However,  because  the  IO_Status_Word  is  assigned 
— SDVS  comment:  to  an  out  parameter  of  type  "word"  in  a  procedure  call,  SDVS  requires 
— SDVS  comment:  that,  in  the  symbolic  execution  of  this  call,  the  out  parameter 
— SDVS  comment:  value  be  in  the  range  0..255.  Thus,  we  arbitrarily  assign 
— SDVS  comment:  0  to  IO_Status_Word  to  meet  this  constraint. 

—  Read  Spacecraft  ID  #1  Status  after  the  data  is  read  out  of  the 

—  FIFO  but  before  the  FIFO  is  reset  or  receives  the  next  message . 

—  Refer  to  TP/DHS  IDS,  page  6. 

—SDVS  delete:  IO_Status_Word  :=  INPUT_WORD(PI,  ID_Status_Port)  ; 

IO_Status_Word  :=  0;  — SDVS  add 

—SDVS  delete:  I0_Status_Bits  :=  CQNV_WQRD_TO_BIT_ARRAY(IO_Status_Word)  ; 

— SDVS  delete:  if  IQ_Status_Bits(Data_Cmd_FIFO_Not_Empty)  then 

—SDVS  delete:  0XJTPUT_I (16#0000#,  PO,  Ser_Dig_FIFO_Beset_Port)  ; 

— SDVS  delete:  Cmd_Status  :=  Cmd_FIFO_Not_Empty ; 

— SDVS  delete:  FIFO_Not_Empty_Count  :=  (FIFO_Not_Empty_Count  +1)  mod  256; 

— SDVS  delete:  end  if; 

—  Check  for  odd  parity 

—SDVS  delete:  Good.Parity  :=  ASM_UTILITY.CHECK_PARITY(Cmd_Unpacked’address) ; 

Good.Parity  :=  ASH_UTILITY.CHECK_PARITY;— SDVS  replace 
if  Good.Parity  then 

Cmd.Status  :=  Cmd.Status  +  Cmd.OK; 
else 

Cmd.Status  :=  Cmd.Status  +  Cmd_Bad_Parity; 
end  if; 


—  Packed  Format 

+ - + - + 

I  First  Byte  I  Second  Byte  I 

+ - + - + 

I  Third  Byte  1  Fourth  Byte  I 

+ - + - + 


Cmd.First.Byte  :=  GLOBAL.TYPES .BYTE(Cmd_Unpacked(l) ) ; 

Cmd. Second.Byte  :=  GLOBAL.TYPES .BYTE(Cmd_Unpacked(2) ) ; 

Cmd.Third.Byte  :=  6LQBAL_TYPES.BYTE(Cmd_Unpacked(3)) ; 
Cmd.Fourth.Byte  :=  GLOBAL.TYPES .BYTE(Cmd_Unpacked(4) ) ; 

—  Reset  Serial  Digital  Command  Interrupt. 

—SDVS  delete  (intrinsics) :  0UTPUT_I(16#0000#,  PD,  Ser_Dig_Int_Port)  ; 

—  Store  the  cmd  in  the  buffer  if  the  buffer  is  not  full 

if  Cmd.Count  <  Cmd_Buf_Size  then 

—  Cannot  allow  reading  of  cmd.count  till  buffers  are  updated. 

—  Also  caimot  allow  reading  of  buffers  while  not  in  a  steady 
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—  state.  Since  done  at  interrupt  level  this  is  not  necessary. 

—  Artclient. Ent  er_Critical_Sect ion ; 

—  Never  wraps  aroxind  because  of  RET_CMD_BUF_AND_STATUS  proc. 

—  don’t  need  head  index  -  always  1. 

—  Cmd_Count  is  same  as  tail_indei 

Cmd_Count  :=  Cmd.Count  +  1; 

CBd_Buf (Cmd_Count)  :=  Cmd; 

Cmd_Status_Buf (CBd_Count)  :=  Cmd_Status; 

—  Since  done  at  interrupt  level  this  is  not  necessary. 

—  Artclient .Leave_Critical_Section; 


else 

Cmd_Status_Buf (Cad_Buf _Size)  :=  Cmd_Status_Buf (Cmd_Buf _Size)  +  CBd_Lost; 
Lost_Cmd  :=  True;  —  This  condition  will  be  reported  as  system  error 
—  by  APP_MSGS. BUILD. 

end  if ; 

end  CMD_IN_HANDLER; 


begin 

null;  —  There  will  be  no  specific  initialization  done  at  the  elaboration 

—  of  Serial_Dig_Cmds  and  no  exception  is  anticipated  for  this 

—  package . 

end  SERIAL_DIG_CMDS ; 

— SDVS  comment:  JHU/APL  did  not  give  us  a  body  for  the  HODE.STATE  package, 

— SDVS  comment :  since  it  did  not  appear  we  would  need  it . 

— SDVS  comment:  These  procedures  allow  us  to  write  to  EEPRDM. 

— SDVS  comment:  We  have  provided  trivial  bodies  for  them, 
package  body  MODE_STATE  is  — SDVS  add 

procedure  PERFORM_SOFT_RESET  is  —SDVS  add 
begin  — SDVS  add 
null;  —SDVS  add 

end  PERFORM_SQFT_RESET;  —SDVS  add 

function  RETRIEVE. CUR_ STATE  return  HODE_STATE_TYPE  is  —SDVS  add 
begin  — SDVS  add 

return  Init_ffiPROH_Write;  — SDVS  add 
end  RETRIEVE. CUR.STATE;  —SDVS  add 

procedure  CHG.STATE(Mode.State.Req  :  in  MODE.STATE.TYPE;  —SDVS  add 

Status.Of.Request  :  out  STATUS.OF.REQUEST.TYPE)  is  —SDVS  add 

begin  — SDVS  add 
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Status_Of_Request  :=  State_Granted;  — SDVS  add 
end  CHG.STATE;  —SDVS  add 

end  MODE_STATE;  —SDVS  add 

—  $users: [na.adacode.bld2. longload.ds]eeprom_data_struc .adb 


EEPROM_DATA.ADB 


—  TYPE:  Package  Body 

—  PURPOSE  :  This  package  stores  and  retrieves  EEPROH  data. 

There  are  three  types  of  EEPRQM  data  stored  and 
retrieved  by  this  package: 


1 .  data  structure 

2.  specific  memory  (EEPROM)  load  data 

3.  miscellaneous  system  variable  data 

The  hierarchy  of  subprograms  in  this  package  is 
as  follows: 


I.  STORE_DATA_STRUC_IN_EEPRQM  (called  by  APP.MSGS .PROCESS.MSG 
ARRAy_DF_BLQCKS.PROCESS_MSGS_IN_BLDCKS) 

A.  CQPY_POINTERS_FROH_EEPROM  (updates  Data_Struc_Ptr_List 
and  Free_Area  pointers) 

1 .  MEMORY_MANAGER. MOVE_FROM_PHY_LOC_TD_VARIABLE 

B .  DETERMIKE.STORAGE.LOC 

1.  TM.DATA. MANAGE.  REPORT_SYSTEH_ERROR 

2.  CORRECT_BAD_STRUC_PTR 

2.1.  TM.DATA . MANAGE .  KEPORT_S YSTEH . ERROR 

2.2.  MEMORY.MANAGER . WRITE_BL0CK_T0_EEPR0H 

2.3.  MEMORY.MANAGER. CONFIRM_EEPRDH_DATA 

C .  WRITE.LOAD.DATA.TQ.EEPROM 

1 .  WRITE_BLOCK 

1.1.  MEMORY.MANAGER . WRITE.BLOCK.TO.EEPROM 

1.2.  MEMORY.MANAGER . CONFIRH.EEPROM.DATA 

1.3.  TM.DATA . MANAGE . REPORT.S YSTEM.ERROR 

2 .  MEMORY.MANAGER . WRITE.TO.EEPROM.BLOCK .ALIGN 

3 .  MEMORY.MANAGER . CONFIRH.EEPROM.DATA 

4.  TM.DATA. MANAGE. REPORT.SYSTEM.ERROR 

D.  ALLOC.NEW.STORAGE.AREA 

1 .  ALLOCATE.STORAGE 

1.1.  UPDATE.EEPRDM.STRUC_PTRS 

1.1.1.  MEMORY.MANAGER. WRITE.BL0CK.T0.EEPR0M 

1.2.  UPDATE.EEPROM.FREE.PTRS 

1.1.1.  MEMORY.MANAGER . WRITE.BLOCK.TD.EEPROM 

1.1.2.  MEMORY.MANAGER . CONFIRM.EEPROM.DATA 

2.  CORRECT.BAD.FREE.AREA.PTR 

2 . 1  TM.DATA . MANAGE . REPORT.SYSTEM.ERROR 

3 .  UPDATE.EEPROM.STRUC.PTRS 

3 . 1  MEMORY.MANAGER. WRITE.BLOCK.TO .EEPROM 

4.  TM.DATA. MANAGE. REPORT.SYSTEM.ERROR 

E.  MEMORY.MANAGER. CONV.TYPE 
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F .  TM.DATA . MANAGE . REPORT. SYSTEM_ERROR 


II.  RET_DATA_STRUC_IN_EEPRDM  (called  by  TRKING.PARAMS . INIT.PARMS) 

A.  CaPY_POINTERS_FROM_EEPROM 

1.  MEMDRY_MANAGER.MOVE_FROM_PHY_LDC_TO_VARIABLE 

B .  DETERMINE_STORAGE_LOC 

1.  TM.DATA.  MANAGE. REPORT_SYSTEM_ERROR 

2.  MEMORY_MANAGER.WRITE_BLOCK_TO_EEPRDM 

3.  MEMORY_MANAGER.CONFIRM_EEPRDM_DATA 

III.  RET_SYS_CONFIG  (called  by  APP.MSGS. PROCESS _MSGS_IN_BLOCKS) 

A.  MEMORY.MANAGER. MO VE_FROM_PHY_LDC_TO .VARIABLE 

B.  MEMORY_MANAGER.WRITE_BLOCK.TO_EEPROM 

C.  MEMORY.MANAGER.CONFIRM.EEPROM.DATA 

D .  TM.DATA . MANAGE . REPORT.SYSTEM.ERROR 

IV.  WRITE.LOAD.DATA.TO.EEPROM  (called  bye  APP.MSGS. PROCESS. 
MSG.TYPE  and  ARRAY.OF.BLOCKS.WRITE.TO.MEMORY) 

A.  WRITE.BLOCK 

1.  MEHORY_MANAGER.WRITE_BLOCK_TO_EEPROM 

2.  MEMORY_MANAGER.CONFIRM_EEPROM_DATA 

3.  TM.DATA. MANAGE. REPORT.SYSTEM.ERROR 

B.  MEMORY.MANAGER.WRITE.TO.EEPROM.BLOCK. ALIGN 

C.  MEMORY.MANAGER.CONFIRM.EEPROM.DATA 

D.  TM.DATA. MANAGE. REPORT.SYSTEM.ERROR 

—  EXCEPTIONS: 


—  NOTES: 

—  CHANGE  HISTORY:  01/31/92  S.  HUTTON/B.  Na  Initial  Version 


package  body  EEPROM.DATA  is 


PROCEDURE  STORE.DATA.STRUC.IN.EEPROM 


—  PURPOSE  :  Tbis  procedure  is  the  aain  control  software  for 
storing  data  structures  in  EEPROM. 

Before  fly,  in  general  (unless  EEPROM  failure  location 
before  fly)  Data.Struc.Ptr.List  for  1st  data  struc  block 
are  allocated  and  default  values  exist  for  structures. 
The  2nd  data  structure  block  is  set  as  shown  below  to 
designate  never  allocated. 

Data.Struc.Ptr.List (1 ,Data.Struc.ID)  :=  68; 
Data.Struc.Ptr.List (2, Data.Struc.ID)  :=  18; 
Data.Struc.Ptr.List (3, Data.Struc.ID)  :=  9; 
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EEPROM  Data  Structure  Block  Format 


Physical  Address 
(Blk  1)  (Blk  2) 
80000  BF800 

80050  BF850 

8009E  BF89E 

800ED  BF8ED 

800F0  BF8F0 


807FF  BFFFF 


—  NOTES: 

—  CHANGE  HISTORY:  01/10/92  S.  HUTTON/B.  NA  Original 

procedure  STORE_DATA_STRUC_IN_EEPROH 


(Array_Df_Words 

:  in 

CMDS.TYPES . APP_MSG_0UT_TYPE ; 

Data_Struc_ID 

:  in 

INTEGER; 

Dat  a_Struc_Length 

:  in 

INTEGER)  is 

use  INTR1NSIC_FUNCTIQNS; 

— SDVS  add 

Data_Struc_Ptr_List(l , 1 . .79) 


+ - + 


Data_Struc_Ptr_List(2,l. .79) 


+ - + 


Data_Struc_Ptr_List (3,1. .79) 


+ - + 

I  Free_Area  pointer  (1)  | 

I  Free_Area  pointer  (2)  I 

I  Free_Area  pointer  (3)  I 

+ - + 

I  I 

I  Data  Structure  Storage  i 

I  Area  I 


Data  Stucture  Storage 
Free  Area 
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begin 


for  I  in  2  . .  Data_Struc_Length  +  1  loop  — SDVS  replace 
put(Array_Of_Words(i)) ;  — SDVS  replace 
end  loop;  — SDVS  replace 


end  STORE_DATA_STRUC_IN_EEPRaM; 


begin 
null ; 

end  EEPROH.DATA; 


— SDVS  coment : 
— SDVS  comaent : 
— SDVS  coBuaent : 
— SDVS  comment : 
— SDVS  comment : 
— SDVS  comment : 
— SDVS  comment : 
package  body  TM_ 


The  package  body  of  TM_DATA  below  is  only  a  simplification 
of  the  real  TM_DATA  body.  In  the  real  one,  MANAGE  is  a  task 
and  REPDRT_SYSTEH_ERROR  is  one  of  its  entries.  Furthermore, 
we  do  not  even  have  the  body  of  TM_DATA  and  it  probably  does 
not  contain  a  “put."  We  dealt  with  these  problems  in  the  manner 
below.  No  branch  in  the  SDVS  execution  lead  to  a  call  of 
the  procedure  REPORT_SYSTEM_ERROR 
DATA  is 


package  body  MANAGE  is  — SDVS  replacement 

procedure  REPQRT_SYSTEM_ERROR(Sys_Error_Code  : 

in  GLOBAL_TYPES .BYTE)  is  — SDVS  replacement 

begin  — SDVS  replacement 
put(Sys_Error_Code) ;  — SDVS  replacement 
end  REPDRT_SYSTEM_ERROR;  — SDVS  replacement 


end  MANAGE;  — SDVS  replacement 
end  TM.DATA; 


—  Susers :  [na. adacode .bld2 . longload] app_msgs . adb 


APP.MSGS.ADB 


—  TYPE:  Package  Body 

—  PURPOSE  :  This  package  contains  software  to  build  and 

process  the  application  messages  for  the  serial  digital 
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coaunaiids  buffered  by  SERIAL_DIG_CMDS . 


The  hierachy  of  subprograms  in  this  package  is  as  follows: 

I.  BUILD  (This  task  runs  at  a  2  Hz  rate  and  initiates  a  rendezvous 

with  MANAGE_MS6_RETRIEVAL  at  the  entry  point 
NDTIFY_MSG_ STORED.) 

A.  SERIAL_DIG_CMDS.RET_CMD_COUNT 

B .  SERI AL_DIG_CMDS . RET_  CMD_BUF_ AKD_STATUS 

C.  TM.DATA. MANAGE.  REPORT_SYSTEM_ERROR 

D.  INITIATE.BUILD 

E.  CQNTINUE_BUILD 

F .  MANAGE_MSG_RETRIEVAL . NOTIFY_MSG_STORED 

II.  PRDCESS_MSG  (This  task  runs  without  any  delay  but  pends  at  the 

guarded  entry  MANAGE_MSG_RETRIEVAL . RET_NEXT_MSG . ) 

A.  MANAGE_MSG_RETRIEVAL.RET_NEXT_MSG 

B .  MQDE_STATE . RETRIEVE. CUR.ST ATE 

C.  MODE.STATE.CHG.STATE 

D .  EEPROM.DATA . STORE_DATA_STRUC_IN_EEPROM 

E.  TH.DATA. MANAGE. REPORT_SYSTEM_ERROR 

F .  TRKING.P ARAMS . MANAGE . STORE_TRKING_STRUC 

G.  MEMORY_MANAGER.WRITE_BLOCK_TO_EEPROM 

H .  PRIME.SCIENCE.DATA . SET_PRIME.SCI_DATA_RATE 

I.  MODE.STATE.PERFORM.SOFT.RESET 

J .  ARRAY_0F_BL0CKS . INIT.LDNG.LOAD 

K .  ARRAY_QF_BLOCKS . PROCESS_MSGS_IN_BLOCKS . PREPARE.FOR.TIMEDUT 

L .  MEMORY.MANAGER . CONV.TYPE 

M.  POINTING_INFO_OUT.SHUTDOWN_IMMINENT 

N.  TM.PROCESS_CMD.UPDATE_VAR_MON_ADDR 

O.  TM_PRaCESS_CMD.CHK_NO_OP_CMD 

P .  EEPROM.DATA . WRITE_LOAD_DATA_TO_EEPROM 

III.  MANAGE _MSG_RETRIEVAL  (This  task  rendezvous  with  PROCESS.MSG  when 

the  application  message  coimt  is  greater 
than  zero.  This  task  also  rendezvous  with 
BUILD  when  the  application  message  queue 
becomes  not  empty  from  empty.) 

A .  MEMORY.MANAGER . CONV.TYPE 

IV.  Other  Procedures  or  Functions 

A .  NEW_TM_DATA 

B.  RET_LATEST_CMDS 

C .  RET_INIT_CMD_UST_APP_MSG 

D.  INITIATE_BUILD 

1 .  TM.DATA . MANAGE . REPORT_SYSTEM_ERROR 

E.  CONTINUE_BUILD 

1 .  TM.DATA . MANAGE . REPQRT_SYSTEM_ERROR 

EXCEPTIONS: 


NOTES: 


CHANGE  HISTORY: 

10/16/91  B.  Na  Initial  Version 
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01/31/92  B.  Na 


Build  2  Changes 


— SDVS  comaient:  For  the  body  of  APP_MSGS,  we  delete  all  "with"  and  "use" 

— SDVS  connent:  clauses  appearing  before  its  declarative  part.  However,  we 
— SDVS  comment:  move  all  "use"  clauses  for  packages  that  we  actually  need 
— SDVS  comment:  within  and  in  the  beginning  of  the  declarative  part 
— SDVS  comment:  of  the  APP_MSGS  body. 

—SDVS  delete  (with):  with  ARTCLIEMT; 

—SDVS  delete  (with):  with  SYSTEM;  use  SYSTEM; 

—SDVS  delete  (with):  with  INTRINSIC.FUNCTIONS ;  use  INTRIKSIC_FUNCTIONS ; 

—SDVS  delete  (with) :  with  UWCHECKED_C0NVERSI0N; 

—SDVS  delete  (with):  with  GLOBAL.TYPES ;  use  GLOBAL.TYPES ;  —  Globally  used  types. 

— SDVS  delete  (with):  with  CMDS_TYPES;  —  Commonly  used  types  among  the  command  systems 
—  group  packages . 

— SDVS  delete  (with) :  with  TRKING_DATA_STRUC;  —  contains  number  of  words  per 

—  data  structure  table 

—with  SYSTEM_TIME; 

—SDVS  delete  (with)  :  with  MEMORY.MANAGER; 

—  4/21/92  changed  sys_error_type  from  enum  to  integer. 

— SDVS  delete  (with):  with  TH_DATA;  —  no  longer  need  use  TM_DATA; 

— SDVS  delete  (with):  with  TH;  use  TM; 

—SDVS  delete  (with);  with  MDDE.STATE;  use  MODE.STATE; 

—SDVS  delete  (with);  with  SERIAL_DIG_CMDS ;  use  SERIAL.DIG.CMDS ; 

—SDVS  delete  (with):  with  PRIME_SCIENCE_DATA; 

—SDVS  delete  (with):  with  TRKIKG.P ARAMS ; 

—SDVS  delete  (with)  :  with  P0INTING_INF0_0UT; 

—SDVS  delete  (with):  with  ARRAY_0F_BL0CKS; 

—SDVS  delete  (with):  with  EEPR0M_DATA; 

—  REMOVE  LATER! I ! 

—SDVS  delete  (with):  with  SIHPLE.IO;  use  SIMPLE.IO; 

— SDVS  delete  (pragma) :  pragma  elaborate  (TM_DATA) ; 

— SDVS  delete  (pragma) ;  pragma  elaborate  (TRKING_PARAMS) ; 

— SDVS  delete  (pragma) ;  pragma  elaborate  (EEPROM_DATA) ; 

— SDVS  delete  (pragma)  :  pragma  elaborate  (INTRIKSIC_FUNCTI011S) ; 

— SDVS  delete  (pragma) :  pragma  elaborate  (PRIHE_SCIENCE_DATA) ; 

package  body  APP.MSGS  is 

use  INTRINSIC_FU1ICTIDNS ;  — SDVS  replace  (reposition) 
use  GL0BAL_TYPES ;  — SDVS  replace  (reposition) 

— SDVS  delete  use  TM;  — SDVS  replace  (reposition) 
use  MDDE_STATE;  — SDVS  replace  (reposition) 
use  SERIAL_DIG_CMDS ;  — SDVS  replace  (reposition) 

—  I.  Variables  Associated  With  Retrieved  Commands  From  SERIAL_DIG_CMDS . 

—  Holds  the  number  of  commands  retrieved. 

Cmd_Count  ;  INTEGER; 
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—  Retrieved  commands  are  stored  in  this  buffer. 

Cmd.Buf  :  SERIAL_DIG_CHDS.CMD_BXJF_TYPE: 

—  Retrieved  command  statuses  are  stored  in  this  buffer. 

Cmd_Status_Buf  :  SERIAL_DIG_CMDS.CMD_STATUS_BUF_TYPE; 

—  The  following  defines  the  possible  command  status  values  with  the 

—  two  exceptions: 

(1)  Cmd.Lost  is  allowed  only  for  the  last  (70th)  command 
in  the  buffer. 

—  (2)  Cmd_Lost  and  Cmd_FIFO_Not_Empty  may  be  ORed  with  the  rest 

of  status  values. 


—  Cmd.OK 

=  0 

—  App_Msg_Dropped 

=  1 

—  Bad_ Checksum 

=  2 

—  Flushed_prior_Build 

=  3 

—  Invalid_Data_Struct_Msg_ID 

=  4 

—  Invalid_Starting_Cmd 

=  5 

—  App_Msg_0verwritten 

=  6 

—  (The  following  three  conditions 

are  checked  by  SERIAL_DIG_CMDS) 

—  Cmd_Bad_Parity 

=  7 

(Parity  of  the  command  is  not  odd) 

—  Cmd_Lost 

=  8 

(New  command  is  lost  because  the 

— 

command  buffer  is  full) 

—  Cmd_FIF0_Not_Empty 

=  16 

(The  command-in  FIFO  is  not  empty  after 

— 

one  command  is  read) 

—  This  flag  indicates  that  one  or  more  commands  read  from  the  FIFO  were 

—  not  stored  in  the  buffer  because  the  buffer  was  full .  This  flag  is 

—  checked  by  AFP _MSGS. BUILD  to  generate  the  system  error  message. 

Lost_Cmd  :  BOOLEAN  :=  False; 

—  Holds  the  number  of  occurances  that  FIFO  is  not  empty  after  one  command 

—  (4  bytes)  is  read. 

FIFO_Not_Empty_Count  :  INTEGER  :=  0; 

Rejected_Cmd_Count  :  INTEGER  :=  0;  —  0  thru  255 

Max_Rejected_Cmd_Count  :  constant  INTEGER  :=  256; 


—  II.  Variables  Set  and  Used  While  Building  Message 

—  The  messages  built  and  ready  to  be  retrieved  and  processed  eire  stored 

—  in  this  queue.  4/21/92  changed  App_Msg_Q_Size  from  =  30  to  =  15  to 

—  save  space;  saves  15  *  80  =  1200  words,  changed  back  to  =30  5/15/92 

App_Msg_Q_Size  :  constcint  INTEGER  :=  30; 

type  APP_HSG_TYPE  is  array  (1 . . CHDS_TYPES . App_Hsg_Max)  of  GLOB AL.TYPES. WORD; 

-SDVS  delete  (2-dimensional  array) :  type  APP_MSG_q_TYPE  is  array 
-SDVS  delete  (2-dimensional  array):  (1 . .App_Msg_Q_Size,  1. .CMDS_TYPES.App_Msg_Max) 
-SDVS  delete  (2-dimensional  array):  of  GLOBAL.TYPES .WORD; 
type  APP_MSG_Q_TYPE  is  array  (1 .  .  App_Hsg_Q_Size)  of  APP_MSG_TYPE;  —SDVS  replace 
App_Msg_Q  :  APP_HSG_Q_TYPE; 

—  This  buffer  holds  the  intermediate  result  while  the  message  is  being 

—  built.  As  the  message  become  complete,  the  completed  message  is  moved 

—  to  App-Msg-Q. 
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— SDVS  delete  (others):  App.Msg  :  APP_MSG_TYPE  :=  (others  =>  0) ; 

App_Msg  :  APP_MSG_TYPE;  —SDVS  replace 

—  Used  to  control  build  process.  A  logic  False  indicates  the  start 

—  of  build  process.  Will  be  set  to  True  by  INITIATE_BUILD  when 

—  More  coMMands  are  needed  to  build  the  message.  Any  one  of  the 

—  following  abnoMcilies  will  set  this  variable  to  False: 

Cmd  parity  fail 
Msg  checksum  fail 
Invalid  op-code 

Build_In_Progress  :  BOOLEAN  :=  False; 

—  First  byte  (opcode  and  parity)  of  the  start  command  of  the  multiple 

—  commands  message  is  saved;  so  it  can  be  reported  to  TM  as  the  start 

—  command  associated  with  the  last  received  application  message. 
Starting_Cmd_With_Par  :  GLOB AL.TYPES. BYTE; 

—  Used  as  a  word  index  into  the  App_Msg  while  build  is  in  progress  to 

—  store  incoming  command  bytes. 

Word_Cntr  :  INTEGER  :=  0; 

—  Holds  the  number  of  commands  received  for  the  message  currently 

—  being  built . 

Cmds_Rcvd  :  INTEGER  : —  0 ; 

—  Set  by  Initiate_Build  and  used  by  Continue_Build.  Holds  the  number 

—  of  required  commands  to  be  recevied  for  the  build. 

Num_Cmds_For_App_Msg  :  INTEGER  :=  0; 

—  Set  by  Initiate_Build  and  used  by  Continue_Build.  Holds  the  the  number 

—  of  words  of  the  message  to  be  stored  into  the  application  message  queue. 
Num_Words_For_App_Msg  :  INTEGER  :=  0; 

—  Set  by  Initiate.Build  and  used  by  Continue.Build.  Holds  the  next  expected 

—  command  type  to  complete  the  build. 

Cont.Cmd  :  GLOBAL.TYPES.BYTE; 

—  Set  and  used  only  by  Initiate.Build  and  Continue_Build.  Holds  the 

—  last  written  position  in  the  application  message  queue. 

Q_Tail  :  INTEGER  :=  0; 

—  Set  and  used  only  by  MANAGE_HSG_RETRIEVAL .  Holds  the  next 

—  read  position  in  the  application  message  queue. 

Q.Head  :  INTEGER  :=  1; 

—  Holds  the  number  of  messages  built  and  stored  in  the  queue. 

App_Msg_Counter  :  INTEGER  :=  0; 

—  Holds  the  start  command  associated  with  the  last  received  message. 

— SDVS  delete  (others)  :  Cmd_Laist_App_Msg 

—SDVS  delete  (others):  :  SERIAL_DIG_CMDS . CHD_ByTES_TYPE  :=  (others  =>  0); 
Cmd_Last_App_Msg  :  SERIAL_DIG_CHDS.CHD_BYTES_TYPE;  — SDVS  replace 

—  III.  Starting  Command  Op-Codes  (and  Continuation  Codes) 
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—  + — + — + — + — + — + — + — + - + — + — + — + — + — + — + — +. 

—  I  P  i  OP-CODE  I  Cmd  Data  (Bits  0-7) 

—  + - + - + - + - + - + - + - + - + - + - + - + - + - + + - +, 

—  I  Cmd  Data  (Bits  8  -  23) 

—  + - + - + - + - + - + - + - + - + - + - + - h - + - + + - +. 


Data_Struc_Load 

:  constant 

GLOB AL.TYPES. BYTE 

=  1 

RAM_Mem_Load 

:  constant 

GLOB AL.TYPES. BYTE 

=  2 

EEPR0M_Mem_Load 

:  constant 

GLOBAL.TYPES.BYTE 

=  4 

Set_RAM_Def_Tab_Entry 

:  constant 

GLOB AL.TYPES. BYTE 

=  7 

Prep_For_Long_Load 

:  constant 

GLOB AL.TYPES. BYTE 

=  11 

Mem_Dump_X_Frames 

:  constant 

GLOB AL.TYPES. BYTE 

=  13 

Shutdown.Imminent 

:  constant 

GLOB AL.TYPES. BYTE 

=  19 

Sat_Subsys_Conf ig 

:  constant 

GLOB AL_TYPES. BYTE 

=  22 

No_op_Cmd 

:  constant 

GLOBAL_TYPES.BYTE 

=  25 

Chg_Monitor_Loc 

:  constant 

GLOB AL_TYPES. BYTE 

=  28 

Soft_Reset 

:  constant 

GLOB AL.TYPES .BYTE 

=  32 

Mem_Dump_Data_Struc 

:  constant 

GLOB AL.TYPES .BYTE 

=  35 

Clr_Timeout_Telltale 

:  constant 

GLOB AL.TYPES .BYTE 

=  37 

UT_Control 

:  constant 

GLOB AL_TYPES. BYTE 

=  38 

+ 

I 

+ 


+ 


—  Continuation  commands 

Data_Load_Cmd  :  constant  GLOB AL_ TYPES. BYTE  :=  8 
Ext_Dump_X_Frames  :  constant  GLOB AL_TYPES. BYTE  :=  16 
Ext_Chg_Mon_Loc  :  constant  GLOB AL_TYPES. BYTE  :=  31 


"  IV.  Variables  Used  To  Buffer  and  Report  Last  40  Commands  To  TM. 

— SDVS— SDVS— SDVS— SDVS— SDVS—SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS 
— SDVS— SDVS—SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS 
— SDVS  The  following  group  of  declarations  are  used  to  report  SDVS 

— SDVS  to  telemetry.  The  declared  objects  are  not  used  in  the  SDVS 

— SDVS  target  code  and  are  therefore  deleted.  Any  assignments  SDVS 

— SDVS  to  them  in  BUILD  are  also  deleted.  SDVS 

—SDVS— SDVS—SDVS— SDVS— SDVS— SDVS— SDVS— SDVS~SDVS~SDVS— SDVS— SDVS 
—SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS 

—  Used  in  RET_LATEST_CHDS  to  determine  the  first  command  in 

—  Latest_Cmds_Q  to  be  reported  to  TM  at  this  frame. 

—SDVS  delete:  Read_Ptr  :  INTEGER  :=  0; 

—  Points  to  the  last  written  entry  in  the  queue.  Queue  entries 

—  extend  from  1  to  75.  Incremented  by  BUILD  as  the  incoming 

—  commands  are  buffered  in  the  Latest_Cmds_Q 

—SDVS  delete:  Write.Ptr  :  INTEGER  :=  0; 

— SDVS  delete:  Latest_Cmds_Q_Size  :  constant  INTEGER  :=  75; 

—  Holds  up  to  75  commands  and  statuses  which  will  be  reported  to  TM. 

— SDVS  delete:  Zero_Cmd  :  constant  Serial_Dig_Cmds.Cmd_Bytes_Type 
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— SDVS  delete: 


:=  (0,0, 0,0); 


— SDVS  delete:  Latest_CMds_Q 
— SDVS  delete: 

—SDVS  delete: 


:  array  (1 . .Latest_Cads_Q_Size)  of 
Serial_Dig_CBds . Cmd_Bytes_Type ; 
:=  (others  =>  (0,0, 0,0)); 


— SDVS  delete:  Latest_Status_Q 
—SDVS  delete: 


:  array  (1. .Latest_Cmds_Q_Size)  of  INTEGER 
(others  =>  Cmd_0K) ; 


—SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS 


—SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS 


—  IV.  Constants  Associated  With  Data  Structures. 


—  These  data  structures  are  used  only  by  INITIATE.BUILD .  However, 

—  to  conserve  runtiae  stack  space,  the  structures  are  defined  here 

—  rather  than  in  INITIATE_BUILD . 

—  This  table  lists  the  number  of  commands  required  to  build 

—  a  data  structure  load  message.  The  data  structure  ID  is  used  as  an 

—  index  into  the  table.  ID  1  thru  49  are  reserved  for  current/future 

—  event,  50  thru  79  are  reserved  for  next  event  and  80  thru  109  are 

—  are  reserved  for  current  data  structures. 

type  CMDS_FDR_DATA_STRUC_TyPE  is  array  (1. .TRKING.DATA_STRUC.Num_Data_Struc) 

of  integer; 

Cmds_For_Data_Struc  :  constant  CMDS_F0R_DATA_STRUC_TYPE  :“ 


(14. 

14, 

14, 

14, 

14. 

14, 

14, 

10, 

10, 

03, 

03, 

04, 

04, 

03, 

03, 

03, 

03, 

03, 

08, 

03, 

03, 

02, 

04, 

02, 

04, 

04, 

04, 

02, 

06, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

10, 

04, 

06, 

38, 

38, 

52, 

52, 

13, 

06, 

04, 

06, 

04, 

05, 

11, 

07, 

08, 

08, 

15, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

04, 

02, 

02, 

02, 

02, 

02, 

04, 

04, 

04, 

04, 

02, 

11, 

07, 

02, 

00, 

00, 

00, 

00, 

00, 

00. 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00, 

00); 

—  IV.  Other  Micellaneous  Variables. 

—  Last  commanded  satellite  subsystem  configuration  value  saved 

—  to  be  reported  to  TM.  If  the  "Store  Subsys  Config  in  EEPRDM" 

—  bit  is  set,  then  the  value  will  be  stored  in  EEPRDM. 
Saved_Sat_Subsys_Config  :  GLDBAL_TYPES . WORD  :=  0; 

—  Holds  the  Data  structure  to  be  stored  in  EEPRDM  or  memory  load 

—  data  to  be  stored  in  EEPRDM.  This  array  is  passed  to  the 

—  EEPRDM, DATA. WRITE_L0AD_DATA_T0_EEPR0M  to  modify  EEPRDM. 

Load.Hsg  :  CMDS.TYPES .L0AD_MSG_TYPE; 

—  The  rzinge  of  Cmd.Total  will  be  0  to  31999. 

Cmd_Total  :  INTEGER; 
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Ciiid_Total_Max  :  constant  INTEGER  :=  32000; 


—  Holds  the  spacecraft  10  #1  status  to  be  reported  in  TM. 
I0_Status_Word  :  GLOBAL.TYPES . WORD ; 


—  Tasks,  Procedures  and  Functions  Used 

function  CONV_WORD_TO_INTEGER  is  nen  UNCHECKED.CONVERSION 

(SOURCE  =>  GLOB AL_TYPES. WORD, 
TARGET  =>  INTEGER) ; 

function  CDNV_BYTE_TO_INTEGER  is  new  UNCHECKED. CONYERS  ION 

(SOURCE  =>  GLOB AL.TYPES. BYTE, 
TARGET  =>  INTEGER) ; 

function  CONV.INTEGER.TO.BYTE  is  new  UNCHECKED.CONVERSION 

(SOURCE  =>  INTEGER, 

TARGET  =>  GLOBAL.TYPES.BYTE); 

function  CONV.BYTE.TO.WORD  is  new  UNCHECKED.CONVERSION 

(SOURCE  =>  GLOBAL.TYPES.BYTE, 
TARGET  =>  GLOBAL.TYPES.WORD); 

function  CONV.WORD.TO.BYTE  is  new  UNCHECKED.CONVERSION 

(SOURCE  =>  GLOBAL.TYPES.WORD, 
TARGET  =>  GLOBAL.TYPES.BYTE); 

procedure  INITIATE.BUILD  (Start .Op.Code  :  in  GLOBAL.TYPES.BYTE; 

Cmd.Buf .Index  :  in  INTEGER) ; 

procedure  CONTINUE.BUILD  (Cont.Op.Code  :  in  GLOBAL.TYPES.BYTE; 

Cmd.Buf .Index  :  in  INTEGER) ; 


— SDVS  delete  (task) :  task  type  BUILD.TYPE  is 
— SDVS  delete  (task) :  pragma  priority  (18) ; 

—SDVS  delete  (task)  :  end  BUILD.TYPE; 

— SDVS  delete  (task):  for  BUILD.TYPE’ St orage.Size  use  350; 
—SDVS  delete  (task):  BUILD  :  BUILD.TYPE; 


—SDVS  delete  (task)  :  task  type  PROCESS.MSG.TYPE  is 
— SDVS  delete  (task):  pragma  priority  (13); 

—SDVS  delete  (task):  end  PROCESS.MSG.TYPE; 

— SDVS  delete  (task): —  for  PRQCESS.MSG.TYPE’Storage.Size  use  4000; 
—SDVS  delete  (task):  for  PROCESS.MSG.TYPE’Storage.Size  use  700; 
—SDVS  delete  (task):  PROCESS.HSG  :  PROCESS.MSG.TYPE; 


—SDVS  delete  (task)  :  task  type  HANAGE_MSG.RETRIEVAL.TYPE  is 

—SDVS  delete  (task):  entry  RET.NEXT.MSG  (App_Hsg_Out  :  out  CMDS.TYPES .  APP.MSG.OUT.TYPE)  ; 

—SDVS  delete  (task):  entry  NOTIFY.MSG.STORED ; 

— SDVS  delete  (task):  pragma  priority  (14); 
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— SDVS  delete  (task) 
— SDVS  delete  (task) 
— SDVS  delete  (task) 


end  MANAGE_MSG_RETRIEVAL_TYPE; 

for  MANAGE_MSG_RETRIEVAL_TYPE’storage_size  use  150; 
MAHAGE_MSG_RETRIEVAL  :  MANAGE_MSG_RETRIEVAL_TYPE ; 


TASK  BUILD 


—  PURPOSE  :  This  task  first  checks  if  there  is  any  commands 

to  be  processed  by  calling  SERIAL_DIG_CHDS .  If  no  command 
is  available  to  be  processed,  then  the  task  ’sleeps’  for 
two  seconds  and  repeats  the  task. 

If  there  are  commands  to  be  processed,  then  the  cmd  buffer, 
status  buffer  and  the  other  associated  variables  are  retrieved 
from  SERIAL_DIG_CMDS .  For  each  command  in  the  buffer,  its  status 
is  checked  for  errors  such  as  parity  error  and  FIFO  not 
empty  and  command  lost  errors.  Then,  either  CQNTINUE_BUILD 
or  INITIATE_BUILD  is  called  to  build  the  application  message (s). 
out  of  commands. 

—  First  the  type  of  application  to  be  built  is  determined. 

If  the  application  message  has  a  checksum,  then  the  message  is 
built  in  the  form  to  validate  the  checksum.  Once  the  checksum 
is  verified,  the  application  message  is  stored  in  the  queue  of 
application  messages. 

A  queue  of  the  last  75  commands  is  also  maintained  to  be 
collected  by  TM. COLLECT. 

This  task  does  not  have  any  entry  points . 


—  NOTES: 

—  CHANGE  HISTORY: 

10/16/91  B.  Na  Initial  Version 


— SDVS  delete  (task) :  task  body  BUILD .TYPE  is 
procedure  BUILD  is  — SDVS  replace 


— SDVS  comment:  The  four  declarations  that  follow  are  never  used  in  the  code. 
— SDVS  comment:  Actually,  Time.To.Run  is  set  to  0  but  never  used  thereafter. 
— SDVS  delete:  Delay.Time  :  LOHG.FLOAT; 

— SDVS  delete:  Time.To.Run  :  LOHG.FLOAT; 

— SDVS  delete:  Current .UT.Time  :  LOHG.FLOAT; 

— SDVS  delete:  Time.Interv.Between.Exec  :  constant  LOHG.FLOAT  :=  0.5;  — 


Old.App.Msg.Count 

Cmd.Buf.Index 

Op.Code 


:  INTEGER; 

:  INTEGER; 

:  GLOBAL.TYPES.BYTE; 
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—SDVS  delete  (hex):  Parity_Bit_Hask  :  constant  GLOB AL.TYPES .BYTE  :=  16#7F# 

Parity_Bit_Mask  :  constant  GLOBAL_TYPES .  BYTE  :=  127;  —SDVS  replace 

Saved_Cmd_Status  :  INTEGER; 

begin 

—  Hark  the  task  start  time  to  be  used  in  calculating  the  delay 

—  duration  required  to  schedule  this  task  for  a  2  Hz  rate. 

—  Time_To_Run  :=  SYSTEM_TIME.RETORN_CUR_TIME; 

— SDVS  delete:  Time_To_Rtui  :=  0.0; 

— SDVS  delete  (task  loop) :  loop 

— SDVS  delete  (task  loop)  :  loop  —  for  tasking_error 

— SDVS  delete  (task  loop) :  begin 

—  Watchdog  timer  is  initially  armed  in  the  boot  program  just 

—  before  handing  over  control  to  the  application  program.  The 

—  application  program  has  65  ms  to  stop  or  reset  the  timer. 

—  The  application  program  then  rearm  the  timer  for  TBD  seconds. 

—  This  task  periodically  reset  the  timer  to  prevent  the  reset 

—  of  the  tracking  processor. 

—SDVS  delete  (intrinsics)  :  0UTPUT_WQRD(16#0000#,  GO,  0); 


—  Check  if  any  serial  digital  command  is  received  and  buffered. 
Cmd_Count  :=  SERIAL.DIG.CHDS. RET_CHD_ COUNT; 

if  Cmd_Count  >  0  then 

—  Retrieve  the  buffered  commands. 

SERIAL_DIG_CHDS . RET_CMD_BUF_AND_STATUS 
(Cmd_Buf , 

Cmd_Status_Buf , 

Cmd_ Count, 

FIFO_Not_Empty_Count , 

I0_Status_Word, 

Lost_Cmd) ; 

—  total  number  of  cmds  received  since  power-up  excluding  the 

—  number  of  cmds  received  during  boot. 

Cmd_Total  :=  (Cmd_Total  +  Cmd_Count)  mod  Cmd_Total_Max; 

if  Lost_Cmd  then 

—  Cmd_Lost_Occured  =  1 . 

TH.DATA . MANAGE .  REP0RT_SYSTEH_ERR0R( 1) ; 
end  if ; 

—  Used  to  notify  buffer  task,  MANAGE_HSG_RETRIVAL ,  that  now 

—  have  messages  to  process. 

01d_App_Msg_Count  :=  App_Msg_Counter ; 
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for  Ciid_Buf .Index  in  l..CBd_Coimt  loop 

Saved.Cmd.Status  :=  Ciid_Status_Buf(Cmd_Buf  .Index)  ; 

—  Temporairlly  mask  Cmd.FIFO .Not .Empty  (bit  4)  and  Cnd.Lost  (bit  3) 

—  of  the  comand  status  word  during  the  build  process. 

CMd.Status.Buf(Cmd.Buf. Index)  := 

AHD.I(Ciid.Status.Buf(CBd.Buf. Index)  ,  7) ; 

if  CiBd_Status.Buf(CBd.Buf. Index)  =  Cnd.OK  then 

—  zero  parity  bit 
Op.Code  := 

AND.BYTE(Ciiid.Buf(CBd.Buf  .Index)  .First.Byte,  Parity.Bit.Mask)  ; 
if  Build.In.Progress  then 

—  If  build  complete,  stores  the  message  in  queue  to 

—  process  and  increment  App.Msg.Coimter . 

Continue .Build(Op.Code ,  Cmd.Buf .Index) ; 

else 

—  If  build  complete,  stores  the  message  in  queue  to 

—  process  and  increment  App.Hsg.Counter . 

Initiate.Build (Op.Code,  Cmd.Buf. Index) ; 

end  if ; 

else  —  Cmd.Status.Buf (Cmd.Buf .Index)  /=  Cmd.OK 
—  implies  bad  parity 
—  Parity.Failed  =  16 
TM.DATA . MANAGE . REP0RT.SYSTEM_ERR0R(16) ; 

—  Update  the  number  of  rejected  commands  to  report  in  TH. 
Rejected.Cmd.Count  := 

(Rejected.Cmd.Count  +  1)  mod  Max.Rejected.Cmd.Coxmt ; 

—  Terminate  build  process 
Build.In.Progress  :=  False; 

end  if ; 

if  Saved. Cmd.Status  >  7  then 

—  If  Cmd.Lost  and/or  Cmd.FIFO.Not.Empty  condition(s)  exists, 

—  then  set  the  corresponding  bit(s)  of  the  command  status  word. 

—  These  bits  were  temporarily  masked  during  the  build  process. 

Cmd.Status.Buf (Cmd.Buf .Index)  := 

OR.I (Saved. Cmd.Status,  Cmd.Status.Buf (Cmd.Buf .Index)) ; 

end  if ; 
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end  loop;  —  for  Cmd.Buf _Index  in  1 . . Cmd_Connt  loop 


—  APP_MSGS  provides  the  last  40  commands  received  to  TM. 

—  Since  TM  collects  data  once  a  second  on  average,  APP_MSGS 

—  queues  up  to  75  commands  to  give  TM  some  time  to  catch  up 

—  in  the  event  of  heavy  influx  of  commands  in  short  period 

—  of  time. 

— SDVS  comment:  As  we  noted  in  the  specification  of  APP_MSGS,  the  function 
— SDVS  comment :  NEW_TM_DATA ,  and  the  too  procedures  RET_LATEST_CMDS ,  and 
— SDVS  comment:  RET_INIT_CMD_LAST_APP_HSG  axe  used  to  report  to  telemetry. 

— SDVS  comment:  Since  they  are  not  used  in  the  target  code  to  build  or 
— SDVS  comment:  process  messages  (and  are  never  called  by  the  target  software), 

— SDVS  comment:  we  deleted  them.  The  loop  that  follows  assigns  values  to 
— SDVS  comment:  objects  which  are  used  only  by  HEH_TM_DATA,  RET_LATEST_CMDS , 

— SDVS  comment:  and  RET_INIT_CMD_LAST_APP_MSG .  Thus,  we  deleted  the  entire 
— SDVS  comment  loop . 

— SDVS  delete:  for  Cmd_Buf _Index  in  l..Cmd_Count  loop 

—  Latest_Cmds_Q  will  be  Q  of  last  75  cmds .  Cmds  are  stored 

—  here  until  these  are  collected,  up  to  40  cmds  per  frame, 

—  by  TM. COLLECT. 

— SDVS  delete  (artclient) :  Artclient. Enter _Critical_Section; 

"  Write_Ptr  is  used  to  report  the  last  40  commands  to  TM. 

—  If,  for  some  reason,  TM. COLLECT  fails  to  collect  data 

—  as  scheduled,  then  Write_Ptr  could  wrap  around  and 

—  pass  Read_Ptr  (i.e.  queue  overflow  condition).  In  this 

—  case,  the  commands  received  before  the  75th  command 

—  (counting  backward,  most  recent  command  being  1st)  will 

—  be  not  reported  to  TM. 

— SDVS  delete:  Write_Ptr  :=  (Write_Ptr  mod  75)  +  1; 

— SDVS  delete:  Latest_Cmds_Q(Write_Ptr)  :=  Cmd.Buf (Cmd_Buf _Index) ; 

— SDVS  delete:  Latest_Status_Q(Write_Ptr)  :=  Cmd_Status_Buf (Cmd_Buf_Index) ; 

— SDVS  delete  (artclient):  Artclient .Leave_Critical_Section; 

— SDVS  delete:  end  loop; 


— SDVS  delete  (task) :  if  (01d_App_Msg_Count  =  0)  and 

— SDVS  delete  (task) :  (App_Msg_Counter  >  0)  then 

—SDVS  delete  (task):  MANAGE_MSG_RETRIEVAL.N0TIFY_MSG_ST0RED; 

— SDVS  delete  (task) :  end  if ; 
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end  if ;  —  if  Cmd_ Count  >  0  then 


— Tiiie_To_Rtin  :=  Tiiiie_To_Run  +  Time_Interv_Between_Ex:ec ; 
— Current _UT_Time  :=  SYSTEM_TIME.RETURN_CUR_TIME: 

— if  TiMe_To_Run  >  Current _UT_Tiiiie  then 

— Delay_TiMe  :=  Tiae_To_Run  -  Current_UT_Time; 

— DELAY (DURATIONCDelay .Time) ) ; 

— SDVS  delete  (task):  DELAY(0.5); 

— end  if ; 


— SDVS  delete  (task):  exit; 

— SDVS  delete  (exception) :  exception 

— SDVS  delete  (exception) :  when  tasking.error  => 

— SDVS  delete  (exception):  writestring(’'apbte  1"); 

— SDVS  delete  (exception) :  writeln; 

— SDVS  delete  (exception) :  —  App_Msgs_Build_Tasking_Exception  =  86 

—SDVS  delete  (exception):  TM.DATA. MANAGE.  REPDRT_SYSTEM_ERR0R(86)  ; 

— SDVS  delete  (exception) :  when  others  => 

— SDVS  delete  (exception):  writestring("apbe  2"); 

— SDVS  delete  (exception) :  writeln; 

—  App_Msgs_Build_Exception  =  87 

—SDVS  delete  (exception):  TM.DATA.  MANAGE.  REP0RT_SYSTEH_ERRDR(87)  ; 

— SDVS  delete  end;  —  for  begin 

— SDVS  delete  (task  loop):  end  loop; 

— SDVS  delete  (task  loop):  end  loop; 

— SDVS  delete  (exception) :  exception 

— SDVS  delete  (exception) :  when  tasking. error  => 

— SDVS  delete  (exception) :  writestring("apbteol  3") ; 

— SDVS  delete  (exception) :  writeln; 

— SDVS  delete  (exception) :  when  others  => 

— SDVS  delete  (exception):  writestring("apbeol  4"); 

— SDVS  delete  (exception) :  writeln; 

end  BUILD; 
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TASK  PROCESS_MSG 


—  PURPOSE:  This  task  retrieves  and  processes  the  next 

available  application  message  from  the  application 
message  queue . 

This  task  continuously  initiates  a  rendezvous  vith 
MANAGE_MSG_RETRIEVAL  at  the  entry  point  RET_NEXT_MSG . 
This  task  does  not  have  any  entry  points. 

—  NOTES: 

—  CHANGE  HISTORY: 

10/16/91  B.  Na  Initial  Version 

mm/dd/yy  B .  Na  Build  2  Changes 


— SDVS—SDVS— SDVS— SDVS— SDVS—SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS— SDVS 
— SDVS  The  task  PR0CESS_MSG  processes  11  types  of  application  messages. — SDVS 


— SDVS  Since  oe  are  only  interested  in  data-structure  messages  and  the  — SDVS 
— SDVS  messages  are  processed  in  an  Ada  ‘‘case”  statement,  ye  — SDVS 
— SDVS  deleted  all  the  statements  in  all  of  the  cases  (and  substituted  — SDVS 
— SDVS  the  ‘‘null”  statement  for  them)  except  for  the  — SDVS 
— SDVS  Data_Struc_Load  case.  Any  other  uncommented  deletions  are  for  — SDVS 
— SDVS  assignments  to  objects  that  are  used  only  in  the  deleted  cases.  — SDVS 


—SDVS— SDVS—SDVS— SDVS— SDVS— SDVS— SDVS— SDVS--SDVS--SDVS— SDVS— SDVS— SDVS 


—SDVS  delete  (task)  :  task  body  PROCESS_MSG_TYPE  is 
procedure  PROCESS.HSG  is  — SDVS  replace 

—  Holds  the  message  to  be  processed  next. 

— SDVS  delete  (unconstrained  array  ,  others) : 

—SDVS  cont:  New_App_Hsg  :  CMDS_TYPES. APP_MSG_OUT_TYPE(CMDS_TYPES. INDEX_SUBTYPE) 
— SDVS  cont:  :=  (others  =>  0); 

Ney_App_Msg  :  CMDS_TYPES . APP_MSG_OUT_TyPE;  —SDVS  replace 
Ney_Cmd_0p_Code  :  GLOB AL.TYPES. BYTE; 

—  Holds  intermediate  results  while  performing  bitwise 
—  operations. 

Temp_Word  :  GLOBAL.TYPES.WORD; 

Temp_Word_l  :  GLDBAL.TYPES.WORD; 

Temp_Word_2  :  GLDBAL.TYPES.WORD; 

TP.Num.And.Conf ig_Save_Bits  :  GLDBAL.TYPES.WORD; 

Subsys.Config.Bits  :  GLDBAL.TYPES.WORD; 

Addr.Of.RAM.Load  :  LDNG.INTEGER; 

Last.Addr.Load  :  LDNG.INTEGER; 

Dump. Address  :  LDNG.INTEGER; 

—SDVS  delete:  Dump.Params  :  TM.DUMP.P  ARAMS  .TYPE; 

— SDVS  delete:  Mem.Locations.To.Honitor  :  TM.L0CS_T0.M0N.TYPE; 

Status .Of .Request  :  MODE.STATE . STATUS.OF.REQUEST.TYPE ; 

Curr.Mode.State  :  MODE.STATE.MODE.STATE.TYPE; 
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—  Data  structure  storage  selection  values. 

Update_RAM  :  constant  INTEGER  :=  1; 

Update_EEPRDM  :  consteint  INTEGER  :=  2; 

Update_Both  :  constant  INTEGER  :=  3; 

UT.Intemal  :  constant  INTEGER  :=  1; 

Storage_Selection  :  INTEGER; 

MeBory_Upload_Select  :  INTEGER; 

Data_Struc_ID  :  INTEGER; 

Data_Struc_Length  :  INTEGER; 

—  Used  to  write  load  data  or  data  sturcture  message  to  EEPROM. 

Load_Msg_Is_Data_Struc  :  BOOLEAN; 

Stored  :  BOOLEAN; 


begin 

—  Configure  satellite  subsystem  with  the  configuration  word 
—  preserved  in  EEPROM. 

— SDVS— SDVS—SDVS— SDVS— SDVS--SDVS— SDVS— SDVS--SDVS— SDVS— SDVS— SDVS— SDVS 
— SDVS  comment:  The  next  block  of  code  (up  to  the  simple  loop)  is  executed 
— SDVS  only  once  at  the  elaboration  of  the  task.  It  serves  no  function 
— SDVS  for  our  pxrrposes. 

—SDVS— SDVS— SDVS— SDVS— SDVS— SDVS—SDVS— SDVS--SDVS--SDVS— SDVS— SDVS—SDVS 
—SDVS  delete:  Saved_Sat_Subsys_Conf ig  :=  EEPROM_DATA.RET_SyS_CONFIG; 

—SDVS  delete:  OUTPUT_WORD(Saved_Sat_Subsys_Conf ig,  PO,  16#0028#)  ; 

—  Set  prime  science  data  rate  based  on  Bit  4  of 
—  Saved_Sat_Subsys_Conf ig. 

— SDVS  delete:  Temp_Word  :=  AND_WORD(Saved_Sat_Subsys_Conf ig,  16#0800#) ; 

— SDVS  delete:  if  Temp_Word  =  16#0800#  then 

—SDVS  delete:  PRIHE_SCIENCE_DATA.SET_PRIME_SCI_DATA_RATE(5)  ; 

— SDVS  delete:  else 

—SDVS  delete:  PRIME_SCIENCE_DATA.SET_PRIME_SCI_DATA_RATE(25)  ; 

— SDVS  delete:  end  if; 


— SDVS  delete  (task  loop) :  loop 

— SDVS  delete  (task  loop) :  loop  —  for  tasking_error 

— SDVS  delete  (task  loop) :  begin 

—  Waiting  for  a  message  to  be  sent  from  CP  and 
—  built  to  process 
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— SDVS  delete  (writestring,  writeln) : 


WRITESTRING ( " apPM  pends " ) ;  WRITELN ; 


— SDVS  comment :  The  next  statement  is  an  extended  rendezvous  with  the  task 
— SDVS  comment:  MANAGE_MSG_RETRIEVAL  at  the  entry  RET_NEXT_MSG .  The  rendezvous 
— SDVS  comment:  can  take  place  only  if  App_Hsg_Counter  >  0.  Hence,  we  have 
— SDVS  comment :  replaced  the  rendezvous  with  an  if  statement  that  executes 
— SDVS  comment:  the  code  following  the  rendezvous  only  if  App_Msg_Counter  >  0. 

—SDVS  delete  (task):  MANAGE_MSG_RETRIEVAL.RET_NEXT_HSG(New_App_Msg)  ; 

if  App_Msg_Counter  >  0  then  — SDVS  replace 

MANAGE_MSG_RETRIEVAL(New_App_Msg);  —SDVS  replace 

—SDVS  delete  (writestring,  writeln):  WRITESTRING  ("apPMp")  ;  WRITELN; 

—  The  following  code  will  be  executed  only  if 
—  MANAGE_MSG_RETRIEVAL.RET_NEXT_HSG  has  been  accepted 
—  (or  rendezvoused) . 


—  Typical  Message  Format 


—  (1) 

+ - 

1 

- + - 

1 

op-code 

—  (2) 

1 

msg  word 

— 

+ - — — — 

+ - + - + 

(n)  I  fflsg  checksum  I 

+ - + - + 


—  I  I  I 

+ - + - + 

(80) I  size  of  msg  words  =  n  I 

+ - + - + 


New_Cmd_0p_Code  :=  C0NV_INTEGER_T0_BYTE(NEW_APP_MSG(1)) ; 
Curr_Mode_State  :=  MODE.STATE .  RETRIEVE_CUR_STATE ; 
case  New_Cmd_0p_Code  is 


when  Data_Struc_Load  => 

—  Data  Struc  Load  Message  Format 

+ - K - + - + - ^ - + - + H H - + - H - + - + - + - H - 1 - 1- 

—110  0  0  0  0  0  0  01  opcode  =  1  I 

+ - + - + - + - + - + - + + + - + - + - + + - + - + - + - + 

—  2|0  0  0  0  0  OlEIRl  data  structure  id  I 
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—  3 


H - + - + - + - ^ - + - H - + - + - + - + - + - + - h - H - h - + 

I  data  structure  word  I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

I  data  structure  word  I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 


— 

+ - + - + - + — 

1 

1 

1 

+  H 

1 

1 

1 

+  H 

1 

-+ - + - + - + - + - + - + - 

checksum 

-+ - + - +• 

— 

1  /  /  /  / 

/  / 

/////// 

/  / 

+ - + - + - + — 

1 

1 

+ 

1 

1 

1 

+ 

1 

.+ - 1. - + - + - + - + - . 

+ 

1 

1 

1 

+ 

1 

1 

1 

+ 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—  80  1  num  of  asg  words  1 

H - + - + - ^ - + - + - + - ^ - + - H - + - + - + - h - + - h - + 

—  E  :  1  -  store  in  EEPROM 

—  R  :  1  -  store  in  RAM 


— SDVS  conment:  The  call  below  to  MEHORY_MANAGER.CONV_TYPE  is  used  to  assign 
— SDVS  comment:  the  value  of  New_App_Hsg(2)  (an  integer)  to  Temp_Word_l 
— SDVS  comment:  (a  word).  The  body  of  C0NV_TYPE  is  written  in  1750A.  We  replace 
— SDVS  comment:  this  call  by  a  type  conversion. 

—SDVS  delete  (1750A):  MEMaRY_MANAGER.CONV_TYPE 

— SDVS  delete  (1750A):  (New_App_Msg(2) ’address,  —  Source 

— SDVS  delete  (1750A):  Temp_Word_l’ address,  —  Target 

—SDVS  delete  (1750A):  1);  —  Words 


Temp_Word_l  :=  GLOBAL_TYPES.WORD(New_App_Msg(2))  ;  —SDVS  replace 


— SDVS  delete  (hex) : 

Temp_Word 


Temp.Word  :=  AND_WORD(16#FFOO#,  Temp_Word_l) ; 
:=  AHD_W0RD(65280,  Temp_Word_l)  ;  —SDVS  replace 


—SDVS  delete  (hex)  : 

Temp_Word_2 


Temp_Word_2  :=  AND_W0RD(16#00FF#,  Temp_Word_l) ; 
:=  AND_W0RD(255,  Temp_Word_l) ; 


Temp_Word_l  :=  SHIFT_LOGICAL_WORD(Temp_Word,  -8); 

St orage_S election  :=  CONV_WORD_TO_INTEGER(Temp_Word_l) ; 


Data_Struc_ID  :=  C0NV_WaRD_T0_INTEGER(Temp_Word_2)  ; 
Data_Struc_Length  :=  TRKIKG_DATA_STRUC. Words _For_Data_Struc( 

Data_Struc_ID) ; 


if  Data_Struc .Length  /=  0  then 


if  (Curr_Mode_State  /=  Init .Memory .Load)  and 
(Curr.Mode.State  /=  Init.Memory.Dump)  then 


if  (Storage.Selection  =  Update.EEPROH)  or 
(Storage.Selection  =  Update.Both)  then 

MODE.STATE.CHG.STATE(Init.EEPROH_Write,  Status.Of. Request) ; 
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if  Status_Of .Request  =  State.Gremted  then 

—  Strip  off  Ken_App_Msg(l)  which  contains  opcode, 

—  the  contents  of  data  structure  (including  checksum) is 

—  stored  in  New_App_Msg(2)  thru  (Data_Struc_Length+l) . 

— New_App_Msg(l . .Data_Struc_Length)  := 

New_App_Msg(2. .Data_Struc_Length+l) ; 

— SDVS  delete  (array  slice):  EEPROM_DATA.STORE_DATA_STRUC_IN_EEPROM 

(New_App_Msg(l. . Data. Struc .Length) , 

— SDVS  delete  (array  slice):  (New.App.Msg(2. .Data.Struc.Length+1) , 

— SDVS  delete  (array  slice):  Data.Struc.ID, 

— SDVS  delete  (array  slice):  Data.Struc.Length) ; 

EEPRQM.DATA . STQRE.DATA.STRUC.IN.EEPROM 
(New.App.Hsg, 

Data.Struc.ID, 

Data.Struc.Length) ; 

MODE.STATE.CHG.STATE(Cuxx.Mode_State,  Status.Df. Request) ; 
if  Status. Of. Request  /=  State.Granted  then 
—  State_Not.Restored_After.EEPRDM.Wr  =  43. 

TH.DATA. MANAGE. REPaRT_SYSTEM_ERROR  (43) ; 
end  if ; 

else  —  Init.EEPROH.Write  state  not  granted. 

—  Data.Struc.Lost.EEPROM.State.Denied  =  44 
TH.DATA. MANAGE. REPaRT_SYSTEM_ERROR  (44) ; 
end  if; 

end  if ; 

if  (Storage.Selection  =  Update.RAM)  or 

(Storage.Selection  =  Update.Both)  then 
—  Mask  storage  selection  field  before  passing  to 
—  store  in  RAM. 

New_App_Msg(2)  :=  Data.Struc.ID; 

—  Strip  off  checksinn  word. 

— New.App.Msgd .  .Data_Struc_Length-l)  :  = 

New_App_Msg(2. .Data.Struc.Length) ; 
—TRKING.P  ARAMS .  MANAGE .  STORE.TRKING.STRUC  ( 

New.App.Msgd. .Data_Struc_Length-l)) ; 
TRKING.P ARAMS . MANAGE . STORE.TRKING.STRUC ( 

New_App_Msg(2. .Data.Struc.Length)) ; 

null;  — SDVS  replace 
end  if ; 

if  (Storage.Selection  >  Update.Both)  and 
(Storage.Selection  <  Update.RAM)  then 
—  Data.Struc.Storage.Invalid  =  45 
TH.D ATA. MANAGE. REPORT.SYSTEH.ERROR  (45) ; 
end  if ; 

else  —  Current  mode  is  either  init  memory  dump  or  memory  load. 

—  Data.Struc.Lost.Invalid. State  =  46 
TM.DATA. MANAGE. REPORT_SYSTEM_ERROR  (46) ; 


—SDVS  delete 


—SDVS  delete 
—SDVS  delete 
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end  if ; 


end  if;  —  Data  struc  length  is  not  0.  Length  0  implies  unused 
—  data  struc  ID. 


when  Sat_Subsys_Conf ig  => 
null;  — SDVS  add 

Satellite  Subsystem  Configuration  Message  Format 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +, - + 

—  llOOOOOOOOl  opcode  =  22  I 

+ - + - + - + - + - + - H - + - + - + - + - + - + - + - + - + - + 

—  21/  /  /  /  /  /  /  /I  reserved  I  A  I  B  I  C  I  D  I  E  I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—  31/  /  /  /  /  /  /  /|0  0  0  0  0  OlFlGl 

I////////////////I 
+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 


+ - 1 - h - h - + - + - + - + - + - H - h - + - + - + - + - + - h 

—  80  I  num  of  msg  words  =  3  I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—  A  :  0  -  AP  1 

1  -  AP  2 

—  B  :  0  -  25  MBPS 

1-5  MBPS 

—  C  :  0  -  CP  1 

1  -  CP  2 

—  D  :  0  -  Upload  1 

1  -  Upload  2 

—  E  :  0  -  DHS  1 

1  -  DHS  2 

—  F  :  0  -  TP  1 

1  -  TP  2 

—  G  :  0  -  Do  not  save  configuration  word  in  EEPROM 

1  -  Save  configuration  word  in  EEPROM 


— SDVS  delete: 
— SDVS  delete: 
— SDVS  delete: 


if  Curr_Mode_State  =  Init_Setup  or 

Curr_Hode_State  =  Tracking.Setup  or 
Curr_Mode_State  =  Tracking  then 


—SDVS  delete: 
—SDVS  delete: 
— SDVS  delete: 
— SDVS  delete: 
— SDVS  delete: 


MEMORY.MANAGER . C0NV_TYPE 

(New_App_Msg(2) ’address,  —  Source 

Temp _Word’ address,  —  Target 

1) ;  —  Words 

Subsys_Config_Bits  :=  SHIFT_LOGICAL_WDRD(Temp_Word,  8); 


— SDVS  delete: 
— SDVS  delete: 
— SDVS  delete: 
— SDVS  delete: 
— SDVS  delete: 


MEMORY.MANAGER . CONV.TYPE 

(New_App_Msg(3) ’address ,  —  Source 

Temp_Word’ address,  —  Target 

1)  :  —  Words 

TP_Num_And_Config_Save_Bits  :=  AND_WORD(Temp_Word,  16#0003#) ; 
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— SDVS  delete: 


OUTPUT_WORD(Subsys_Config_Bits,  PD,  16#0028#) ; 


— SDVS  delete:  Saved_Sat_Subsys_Conf ig 

— SDVS  delete:  :=  OR_WORD(Subsys_Config_Bits,  TP_Nuiii_And_Conf  ig_Save_Bits)  ; 

—  Save  the  conf igirration  vord  in  EEPROM  if  flagged  to 
—  do  so  and  also  provide  it  to  TM  for  reporting. 

— SDVS  delete:  if  (Ne¥_App_Msg(3)  =  1)  or 

— SDVS  delete:  (New_App_Msg(3)  =  3)  then 

—SDVS  delete:  EEPROM.DATA. STORE, SYS_CONFIG(Saved_Sat_Subsys_Config)  ; 

— SDVS  delete:  end  if; 

—SDVS  delete: 

—  Set  prime  science  data  rate . 

— SDVS  delete:  Temp_Word  :=  AND_WORD(Saved_Sat_Subsys_Conf ig,  16#0800#) ; 

— SDVS  delete;  if  Temp_Word  =  16#0800#  then 

—SDVS  delete:  PRIME_SCIENCE_DATA.SET_PBIHE_SCI_DATA_RATE(5)  ; 

— SDVS  delete:  else 

—SDVS  delete:  PRIME_SCIENCE_DATA.SET_PRIME_SCI_DATA_RATE(25)  ; 

— SDVS  delete:  end  if; 

— SDVS  delete:  else  —  current  state  inhibit  satellite  subsystem  config  change. 

—  Subsys_Config_Chg_Not .Allowed  =  S 
—SDVS  delete:  TM_DATA.MANAGE.REP0RT_SYSTEM_ERR0R(5) ; 

— SDVS  delete:  end  if; 

when  Soft.Reset  => 
null;  —SDVS  add 
—  Soft  Reset  Message  Format 

+ - + - + - + - + + + + + + + + + + + + - + 

—  llO  0  0  0  0  0  0  01  opcode  =  32  1 

—  2  \  ////////////////  \ 

+ - + - h - h - h + + h + + h + y + + - + 


+ - + - + - + - + - H - h - + - H - + - H - + - + - + - + - y - + 

—  80  I  num  of  msg  words  =  1  I 

+ - h - + - + - + - + - + - + - ^ - + - + - + - y - + - + - 1 - + 

—  Soft.Reset  message  is  allowed  in  any  mode/state  except 

—  in  Init_EEPROM_Write  state  which  cannot  happen  when 

—  processing  this  message  since  enter  and  exit  Init.EEPROM, 

—  Write  state  are  required  while  storing  an  message  in  EEPROM. 

—SDVS  delete:  MODE.STATE. PERFORM, SOFT.BESET; 

when  Prep,For,Long,Load  => 

—  Prepare  For  Long  Load  Message  Format 

+ - + - y - y - ^ - + - + - 1 - H - + - + - H - H - + - y - + - + 
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—  1 

1 

0 

0 

0 

0 

0 

0 

0 

0 

1 

opcode  = 

11 

1 

— 

+  - 

— 

-  +  - 

— 

— 

— 

-+- 

— 

— +. 

— 

-+- 

— 

— 

-+ - +  - 

— +. 

- +  . 

-+ - 

-+ 

—  2 

1 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

1 

0 

0 

0 

0 

0 

0 

1 

A 

1 

— 

+  - 

— 

— 

— 

-+- 

— 

-+- 

— 

-+- 

— 

-+- 

— +. 

— 

— 

-+- 

+ 

+ 

— +. 

- 4-. 

— 

- 

-+ 

—  3 

1 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

1 

niun 

of  blocks 

1 

— 

1 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

1 

_ 

+‘ 

_ 

-+- 

_ 

_ _ 

_ 

_ 

-+- 

_ 

- 4-. 

_ 

_ 

_ 

-+ - +- 

- +. 

- +. 

-+ - 

- 

-+ 

+ - h - + - h - ^ - h - h - + + - + - + - h - + - 1- - + - + - H 

—  80  I  num  of  asg  words  =  3  I 

+ - + - + - + - + - + - + - + + - + - + - + - + - + - + - + - + 

—  A:  1  -  command  system  1 
2  -  command  system  2 
null;  — SDVS  add 

— SDVS  delete:  M0DE_STATE. CHG_STATE(Init_Memory_Load,  Status_0f _Request) ; 

— SDVS  delete:  if  Status_0f _Request  =  State.Granted  then 

— SDVS  delete:  Memory _Upload_Select  :=  AND_I (Neo_App_Msg(2) ,  16#0003#) ; 

— SDVS  delete:  if  Memory _Upload_Select  =  1  then 

configure  for  memory  upload  1 

Saved_Sat_Subsys_Config  :=  AND_W0RD 

(Saved_Sat_Subsys_Conf ig,  16#FD03#) ; 
elsif  Memory _Upload_Select  =  2  then 

—  configure  for  memory  upload  2 
— SDVS  delete:  Saved_Sat_Subsys_Conf ig  :=  DR_WDRD 

— SDVS  delete:  (Saved_Sat_Subsys_Conf ig ,  16#0200#) ; 

— SDVS  delete:  end  if; 

— SDVS  delete:  OUTPUT_WORD(Saved_Sat_Subsys_Conf ig,  PD,  16#0028#) ; 

—  Initiate  long  memory  load  process. 

—SDVS  delete:  ARRAY_0F_BL0CKS.INIT_L0NG_L0AD(New_App_Msg(3))  ; 

—SDVS  delete :  ARRAY_0F_BL0CKS  .PROCESS_MSGS_IN_BLOCKS  .PREPARE_F0R_TIHE0UT 

— SDVS  delete:  else  —  state  not  granted 

—  Init_Men_Load_Sta_Denied  =  2 

—SDVS  delete:  TM.DATA. MANAGE. KEP0RT_SYSTEM_ERR0R(2) ; 

— SDVS  delete:  end  if;  —  state  granted  or  denied 


when  Mem_Dump_X_Fraaes  => 
null;  —SDVS  add 

—  Memory  Dump  X  Frames  Message  Format 


+ - + - + - + - + - 

—  1  1  0  0  0  0  0 

-+ - H - h - +— 

0  0  0  1 

— + - 

-+ - + - + - +— 

opcode  =  13 

—  2  1  0  0  0  0  0 

0  0  0  1 

num 

of  dump  data  words 

=  k 

+ - + - + - + - + - 

-+ - + - k - +— 

— + — 

1 

+ 

1 

1 

1 

+ 

1 

1 

1 

+ 

1 

1 

+ 

1 

- 

—SDVS  delete: 
— SDVS  delete: 
— SDVS  delete: 
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--3I0  0  0  0  0  0  0  OlO  0  0  01  high  addr  bits  I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—  4  I  Ion  addr  bits  I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—  5  I  checksum  I 

I////////////////I 

+ - + - + - + - + - + - + - + - ^ - + - + - + - + - + - + - + - + 


+ - + - + - + - + - + - + - ► - H - + - + - + - + - + - + - + - + 


nruii  of  msg  cords  =  5 


+ - + - + - + - + - + - + - + - + - + - + - +_ 


_+ - + - + - + 


— SDVS  delete: 


M0DE_STATE. CHG_STATE(Init_Hemory_Dump ,  Status.Of .Request) 


— SDVS  delete: 


if  Status.Of .Request  =  State.Granted  then 


-SDVS  delete: 
-SDVS  delete: 
-SDVS  delete: 


HEMORY.MANAGER . COMV.TYPECNen.App.Msg (3) ’ address , 

Dump.Address ’ address , 

2); 


-SDVS  delete: 
-SDVS  delete: 
-SDVS  delete: 


Dump.Params  :=  (Kind.Of.Dump  =>  Spec.Addr, 

Num.Frames  =>  NEW.APP_MSG(2) , 
Start .Address  =>  Dump.Address) ; 


—SDVS  delete: 


TM . PROCESS.CMD . SET.MEM.DUMP.P ARAMS (Dump.Params) ; 


—SDVS  delete: 


—SDVS  delete: 


else  —  Status.Of.Request  =  State.Denied 
Init.Mem.Dump.Sta.Denied  =  3 

TM.DATA. MANAGE. REP0RT.SYSTEM.ERR0R(3) ; 


—SDVS  delete: 


end  if ; 


when  Shutdown.Imminent  => 
null;  — SDVS  add 

Shutdown  Imminent  Message  Format 

+ - + - + - + - + - + - + - 1- - ^ - + - + - + - + - + - + - + - + 

—  llO  0  0  0  0  0  0  0|  opcode  =  19  1 

—  2  \  ////////////  i  ///  \ 


+ - + - + - + - + - + - + - + - + - + - H - + - + - + - + - + - + 

—  80  I  num  of  msg  words  =  1  I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—SDVS  delete:  POINTING.INFO.OUT.SET.SHUTDOWN .IMMINENT; 


when  Chg.Monitor.Loc  => 
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null;  — SDVS  add 

—  Change  Monitor  Location  Message  Foraat 

+ - + - + - + - + - + - + - + - H - + - + - + - + - + - + - + - + 

—  1|0  0  0  0  0  0  0  0|  opcode  =  28  I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—  210000000000001  high  addr  bits  I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—  3  I  low  addr  bits  I 

4- - + - + - + - + - + - + - h - H - + - + - + - + - + - + - + - + 

—  410000000000001  high  addr  bits  I 

—  5  I  low  addr  bits  I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—  6|0  0  0  0  0  0  0  0  0  0  0  0|  high  addr  bits  I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—  7  I  low  addr  bits  I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—  8|0  0  0  0  0  0  00  0  0  0  0|  high  addr  bits  I 

H - + - + - + - + - + - + - H - + - + - H - + - 1- - 4 - 1- - + - + 

—  9  I  loo  addr  bits  1 

4 - 4- - 4- - 4- - ^ - 4- - 4 - 4 - 4. - 4. - + - 1 - 1. - 4 - 4. - 4. - 4. 

—  10  |0  0  0  0  0  0  0  0  0  0  0  0|  high  addr  bits  I 

4. - 4. - 4. - 4. - 4. - 4- - 4. - 4 - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. 

—  11  I  low  addr  bits  I 

—  12  |0  0  0  0  0  0  0  0  0  0  0  01  high  addr  bits  I 

4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. 

—  13  I  low  addr  bits  I 

4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. 

—  14  I  checksum  I 

\  ////////////////  \ 


4. - 4. - 4- - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4. - 4- 

—  80  I  num  of  msg  words  =  14  1 


— SDVS  delete: 
— SDVS  delete: 
— SDVS  delete: 


if  Curr_Mode_State  =  Init_Setup  or 
Curr_Hode_State  =  Tracking.Setup  or 
Curr_Mode_State  =  Tracking  then 


—SDVS  delete: 
—SDVS  delete: 
—SDVS  delete: 
— SDVS  delete: 


Convert  integers  to  an  array  of  addresses 
MEMORY.MANAGER . CONV.TYPE 

(New_App_Msg(2) ' address , 

Mem_Locat ions_T o_Monit  or ( 1 ) ’ addre  ss , 

12); 


— SDVS  delete: 


TH.PR0CESS_CMD. UPDATE.  VAR_MON_ADDR(Meii_Locations_To_Monitor) 


— SDVS  delete: 
— SDVS  delete: 


else 

Chg_Monitor_Loc_Denied  =  6 

TM.DAT A .MANAGE . REP0RT_SYSTEM_ERR0R(6) ; 
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— SDVS  delete: 


end  if ; 


when  No_Op_Cmd  => 
null;  —SDVS  add 

—  No-Operation  Message  Format 

+ - + - + - + - + - + - + - + - ^ - + - H - + - + - + - + - + - + 

—  llo  0  0  0  0  0  0  0|  opcode  =  25  I 

—  2  \  ////////  J  ///////  \ 

+ - + - + - + - + - + - + - + - + - + - H - + - + - + - + - + - + 


+ - + - + - + - + - + - + - + + - + - + - + - + - + - + - + - + 

—  80  I  num  of  msg  words  =  1  I 

+ - + - + - H - + - + - + - K + - + - + - + - + - + - ^ - 1- - + 

— SDVS  delete:  if  Curr_Mode_State  =  Init_Setup  or 

— SDVS  delete:  Curr_Mode_State  =  Init_Hemory_Load  or 

— SDVS  delete:  Curr_Mode_State  =  Tracking_Setup  or 

— SDVS  delete:  Curr_Mode_State  =  Tracking  then 

—SDVS  delete:  TM.PRaCESS_CMD.CHK_ND_OP_CHD: 

— SDVS  delete:  else 

—  No_0p_Cmd_Denied  =  7 

—SDVS  delete:  TM.DATA. MANAGE. REP0RT_SYSTEM_ERR0R(7)  ; 

— SDVS  delete:  end  if; 


when  RAM_Mem_Load  => 
null;  —SDVS  add 

—  RAM  Memory  Load  Message  Format 

+ - + - H - + - + - + - + - + - + - + - + - ^ - + - + - h - + - + 

—  1|0  0  0  0  0  0  0  0|  opcode  =  2  I 

+ - + - + - + - + - + - + - + - ^ - + - + - + - + - + - + - + - + 

—  2|0  0  0  0  0  0  0  0|  mun  of  load  data  words  =  k  I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—  3|0  0  0  0  0  0  0  0|0  0  0  01  high  addr  bits  I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—  4  I  low  addr  bits  I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—  5  I  load  data  word  1  I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—  6  1  load  data  word  2  I 

+ - + - + - 1- - 1 - + - 1 - + - H - + - + - - H - ^ - + - + - + 


+ - + - + - + - + - + - + - + - ^ - + - + - + - + - + - + - + - + 

—  K+4|  load  data  word  k  I 

+ - + - + - + - + - + - + - + - H - + - + - + - + - + - + - + - + 
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checksum 


—  K+51 

I////////////////I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 


+- 

—  80  I 


num  of  msg  words  =  K+5 


—SDVS 

delete : 

—SDVS 

delete : 

—SDVS 

delete : 

—SDVS 

delete: 

—SDVS 

delete: 

—SDVS 

delete: 

—SDVS 

delete: 

—SDVS 

delete : 

—SDVS 

delete: 

—SDVS 

delete: 

—SDVS 

delete : 

—SDVS 

delete : 

—SDVS 

delete : 

—SDVS 

delete: 

—SDVS 

delete: 

—SDVS 

delete: 

—SDVS 

delete: 

—SDVS 

delete : 

—SDVS 

delete: 

—SDVS 

delete: 

if  Curr_Hode_State  =  Init_Setup  or 
Curr_Mode_State  =  Trackiiig_Setup  or 
Curr_Kode_State  =  Tracking  then 

MEMORY.MAKAGER . CONV.TYPE (New_App_Msg (3) ’ address , 

Addr_0f _RAM_Load ’ address , 

2); 

Last_Addr_Load  :=  Addr_Of_RAH_Load  + 

L0HG_INTEGER(NeB_App.Msg(2))  -  1; 

—  REMINDER:  need  logic  to  verfy  that  the  Addr_0f _RAM_Load 

—  is  not  violating  the  restricted  RAM  (air?)  space. 

if  Last_Addr_Load  <=  16#7FFFF#  and 
Addr_0f _RAM_Load  >=  0  then 

—  pass  destination  addr,  data  and  number  of  words. 

MEMORY_MANAGER . WRITE_T0_RAH 

(Addr_Of_RAH_Load, 

NEW_APP_MSG(5) 'ADDRESS, 
New_App_Hsg(2) ) ; 

else  —  load  addr  is  beyond  RAM  addr 

—  RAM_Load_Addr_Invalid  =  10 

TM.DATA . MANAGE. REPORT_SYSTEM_ERRDR( 10) ; 
end  if ;  —  load  addr  is  within  or  beyond  RAM  addr 

else 

not  allowed  dxiring  memory  dump  or  long  load 
RAM_Mem_Load_Denied  =  9 

TM_DATA . MANAGE . REP0RT_SYSTEH_ERR0R ( 9) ; 
end  if ; 


when  EEPR0M_Mem_Load  => 


null;  — SDVS  add 

—  EEPROM  Memory  Load  Message  Format 


— 

+  - 

— 

-+- 

— 

-+- 

— 

-+- 

— 

— 

— 

— 

— 

-+ — 

-+ — 

_+ — 

-+ - 

+ 

+ 

+ 

1 

— + - + 

—  1 

1 

0 

0 

0 

0 

0 

0 

0 

0 

1 

opcode 

=  4 

1 

— 

+- 

-4— 

— 

— 

-+- 

— 

-+- 

— 

— 

— 

_+ — 

-+ — 

-+ - 

-+ - 

+ 

+ 

+ 

- + 

—  2 

1 

0 

0 

0 

0 

0 

0 

0 

0 

1 

num 

of  load 

data  words 

=  k  1 

— 

+  - 

-+- 

— 

-+• 

— 

-4- 

— 

— 

— 

— 

-+ — 

_+ — 

-H - + - 

- + - +  — 

+ 

+ 

—  3 

1 

0 

0 

0 

0 

0 

0 

0 

0 

1  0 

0 

0 

0 

1  high  addr  bits  I 

no 


+ - + - + - + - + - + - + - h - + - + - + - + - + - + - + - + - + 

—  4  I  low  addr  bits  I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—  5  I  load  data  word  1  I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—  6  I  load  data  word  2  I 

+ - + - + - + - + - + - + - 1- - + - + - + - + - + - + - + - + - + 


+ - + - + - + - + - + - + - + - + - + - 1- - + - + - + - + - + - + 

—  K+4 I  load  data  word  k  I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—  K+5 I  checksum  I 

\  !  ///////////////  \ 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 


+ - + - + - + - + - + - + - + - + - + - +_ 


num  of  msg  words  =  k+5 


+ - + - + - + - + - + - + - +_ 


_+ - + - + - + - + - + - + - + 


— SDVS  delete: 


MODE_STATE.CHG_STATE(Init_EEPROM_Write,  Status_Of_Request) ; 


—SDVS  delete: 


if  Status_Of_Request  =  State_6ranted  then 


—  Strip  off  New_App_Msg(l) ,  opcode  word 
-SDVS  delete:  MEH0RY_MANAGER.C0NV_TYPE(New_App_Msg(2) ’address, 

-SDVS  delete:  Load_Msg(l) ’address, 

-SDVS  delete:  CMDS_TYPES . App_Msg_Hax-l) ; 


-SDVS  delete: 
-SDVS  delete: 
-SDVS  delete: 
-SDVS  delete: 
-SDVS  delete: 


Load_Msg_Is_Data_Struc  :=  False; 
EEPRDH.DATA . WRITE_LOAD_DATA_TO_EEPROM 
(Load_Hsg, 

Load_Hsg_Is_Data_Struc , 
Stored) ; 


-SDVS  delete:  HODE_STATE.CHG_STATE(Curr_Mode_State,  Status_Of_Request) ; 

-SDVS  delete:  if  Status_Of .Request  /=  State.Granted  then 

—  State_Not_Restored_After_EEPROM_Wr  =  43 
-SDVS  delete:  TH.DATA. MANAGE. REPORT.SYSTEM.ERROR  (43); 

-SDVS  delete:  end  if; 

-SDVS  delete:  else  —  EEPROM  write  state  denied 

—  Init_EEPROM_W_Sta_Denied  =  8 

-SDVS  delete:  TM.DATA. MANAGE. REP0RT_SYSTEH_ERR0R(8) ; 

-SDVS  delete:  end  if;  —  EEPROM  Write  state  granted  or  denied 


when  Set_RAM_Def_Tab .Entry  => 


—  COMING  SOON,  may  not  come  forever 
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null ; 


when  Clr_Ti»eout_Telltale  => 
null;  — SDVS  add 

Clear  Timeout  Telltale  Message  Format 

+ - + - 1- - H - + - + - + - + - H - ^ - 1- - + - + - + - + - + - + 

—  1|0  0  0  0  0  0  0  0|  opcode  =  37  I 

—  2  \  ////  /!//////////  \ 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 


+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—  80  I  num  of  msg  words  =  1  I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—SDVS  delete:  aUTPUT_W0RD(16#0000#,  PO,  16#0018#)  ; 


when  UT.Control  => 
null;  —SDVS  add 

—  UT  Control  Message  Format 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—  1|0  0  0  0  0  0  0  0|  opcode  =  38  I 

+ - + - + - + - + - + - + - + - H - + - + - + - + - + - + - + - + 

—  2I////////I00000000I 

+ - + - + - + - + - + - + - (. - + - + - + - + - + - + - + - + - + 

—  31/  /  /  /  /  /  /  /lO  0  0  0  0  0  OlII 

-  +s»»+*3=4.*aa+5B»s:+=ssa+*ssa+a*=+==+==+==+==+==+==+=«=5s+==+===+ 

—  4I////////////////I 

+ - + - + - + - + - + - + - 1- - + - + - + - + - + - + - + - + - + 


+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—  80  I  num  of  msg  words  =  3  I 

+ - + - + - + - ^ - + - + - + - + - + - + - 1 - + - H - + - h - 1- 

—  I  :  1  -  UT  interal  control 

0  -  UT  normal  control 


—SDVS  delete: 
—SDVS  delete: 
— SDVS  delete: 
— SDVS  delete: 
— SDVS  delete: 


if  New_App_Msg(3)  =  UT.Intemal  then 
0UTPUT_W0RD(16#0000#,  PD,  16#0260#) ; 
else 

OUTPUT_WORD(16#OOO0#,  PO,  16#0250#) ; 
end  if ; 


when  others  => 

—  Added  to  aid  debugging. 

—  In¥alid_Opcode_While_Processing  =  102 
TM.DATA . MANAGE . REPORT_SYSTEM_ERRDR( 102) ; 
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end  case; 

end  if;  — SDVS  add  —  if 
— SDVS  delete  (exception) : 

— SDVS  delete  (exception) : 

— SDVS  delete  (exception) : 

— SDVS  delete  (exception) : 

— SDVS  delete  (exception) : 

— SDVS  delete  (exception) : 

— SDVS  delete  (exception) : 

— SDVS  delete  (exception) : 

— SDVS  delete:  end;  —  for 

— SDVS  delete  (task  loop)  : 

— SDVS  delete  (task  loop) : 

— SDVS  delete  (exception) : 

— SDVS  delete  (exception) : 

— SDVS  delete  (exception) : 

— SDVS  delete  (exception) : 

— SDVS  delete  (exception) : 

— SDVS  delete  (exception) : 

— SDVS  delete  (exception) : 

end  PROCESS.MSG; 


App_Msg_Comiter  >  0 
exit ; 

exception 

when  tasking_error  => 

writestring("appiiite  1"); 
writeln; 

when  others  => 

writestring("appme  2"); 
writeln; 

begin 

end  loop; 

end  loop; 

exception 

when  tasking. error  => 

writestring ("appmteol  3") ; 
writeln; 

when  others  => 

writestring("appineol  4"); 
writeln; 


TASK  MANAGE_HSG_RETRIEVAL 


—  PURPOSE  :  This  task  returns  the  next  application  message 

to  be  processed  by  the  APP_HSGS.PROCESS_MSG. 

APP_MSGS.PROCESS_MSG  initiates  a  rendezvous  with  MANAGE. 
MSG.RETRIEVAL  at  the  entry  point  RET_NEXT_MSG . 

APP.MSGS  .BXJILD  initiates  a  rendezvous  with  MANAGE.MSG- 
RETRIEVAL  at  the  entry  point  NOTIFY_MSG_STORED  when  the 
message  queue  goes  from  empty  to  a  message  stored. 

—  NOTES: 

—  CHANGE  HISTORY: 

10/16/91  B.  Na  Initial  Version 

mm/dd/yy  B.  Na  Build  2  Changes 
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— SDVS  delete  (task) :  task  body  MANAGE_MSG_RETRIEVAL_TYPE  is 
procedure  MANAGE_MSG_RETRIEVAL(App_Msg_Out  : 

out  CMDS_TYPES.APP_MSG_Oirr_TYPE)  is  —SDVS  replace 

HuM_Words_Curr_App_Msg  :  INTEGER; 

begin 


— SDVS  delete  (task  loop) : 


loop 


— SDVS  delete  (task  loop) : 
— SDVS  delete  (task  loop) : 


loop  —  for  tasking.error 
begin 


— SDVS  delete  (task) : 


select 


— SDVS  delete  (task) ; 


when  App_Msg_Counter  >  0  => 


— SDVS  delete  (task) : 
— SDVS  cont : 


accept  RET_NEXT_MSG(App_Msg_Out  :  out 

CMDS_TYPES.APP_MSG_OUT_TYPE)  do 


— SDVS  delete  (2-diBensional  array):  Num_Words_Curr_App_Msg  := 

—SDVS  cont:  CGNV_WORD_TO_INTEGER  (App_Hsg_Q(Q_Head,  CHDS.TYPES . App_Msg_Max) ) ; 
Nuia_Words_Curr_App_Msg  :  = 

COHV_WaRD_TD_INTEGER  (App_Hsg_q(Q_Head)  (CMDS.TYPES.  App.Msg.Max))  ;  —SDVS  replace 


—SDVS  delete  (1750A);  MEHORY_MANAGER.CONV_TYPE 

— SDVS  delete  (1750A):  (App_Msg_Q(Q_Head,  1) ’address, 

— SDVS  delete  (1750A):  App_Msg_ Out (1) ’address , 

— SDVS  delete  (1750A):  Nuii_Words_Curr_App_Msg) ; 

for  index  in  1  . .  NuB_¥ords_Curr_App_Msg  loop  — SDVS  replace 
App_Msg_Out (index)  :=  INTEGER(App_Msg_Q(Q_Head) (index) ) ;  — SDVS  replace 
end  loop;  — SDVS  replace 

—  save  the  number  of  words  for  application  message  at  the 
bottom* 


App_Msg_Out (CMDS_TYPES . App_Hsg_Max)  :=  Num_Words_Curr_App_Msg; 
Q_Head  :=  (Q_Head  mod  App_Msg_Q_Size)  +  1; 

—  XID  RA.DSBL 

—SDVS  delete  (artclient)  :  ARTCLIEHT.ENTER_CRITICAL_ SECTION; 

App_Msg_Counter  :=  App_Hsg_Counter  -  1; 

—  XIO  RA.ENBL  enables  int. 

—SDVS  delete  (artclient):  ARTCLIENT. LEAVE. CRITICAL.SECTION; 

—SDVS  delete  (task):  end  RET_NEXT_MSG ; 
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— SDVS  delete  (task) :  or 

— SDVS  delete  (task):  accept  NDTIFY.MSG.STORED; 

— SDVS  delete  (task);  end  select; 

— SDVS  delete  (task):  exit; 

— SDVS  delete  (exception) :  exception 

— SDVS  delete  (exception) :  when  tasking_eTTor  => 

— SDVS  delete  (exception):  writestring("apfflrte  1") ; 

— SDVS  delete  (exception) :  writeln; 

— SDVS  delete  (exception) :  when  others  => 

— SDVS  delete  (exception):  writestring("apmre  2"); 

— SDVS  delete  (exception) :  writeln; 

— SDVS  delete:  end;  —  for  begin 

— SDVS  delete  (task  loop);  end  loop; 

— SDVS  delete  (task  loop):  end  loop; 

— SDVS  delete  (exception):  null; 

— SDVS  delete  (exception) :  exception 

—SDVS  delete  (exception)  :  when  tasking_error  => 

— SDVS  delete  (exception)  :  writestring(”apinrteol  3")  ; 

— SDVS  delete  (exception) :  writeln; 

— SDVS  delete  (exception) :  when  others  => 

— SDVS  delete  (exception):  writestring("apnireol  4"); 

— SDVS  delete  (exception) :  writeln; 

end  MANAGE_MSG_RETRIEVAL; 


— SDVS  comment:  The  function  and  two  procedures  that  follow  are  never 
— SDVS  comment:  called  in  this  target  code.  They  are 

— SDVS  comment:  called  by  TH. COLLECT  for  telemetry  reports  on  the  system. 
— SDVS  comment:  We  have  therefore  deleted  them. 
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FUNCTION  NEW_TM_DATA 


—  PURPOSE:  This  function  returns  TRXJE,  if  nen  telemetry  data  is 

available  to  be  collected.  Otheroise,  FALSE  is  returned. 


—  NOTES: 

—  CHANGE  HISTORY: 

10/16/91  B.  Na  Initial  Version 


—SDVS 

delete: 

function  NEW_TH_DATA  return  BOOLEAN  is 

—SDVS 

delete : 

begin 

—SDVS 

delete: 

if  Read_Ptr  =  Write_Ptr  then 

—SDVS 

delete: 

return  FALSE; 

—SDVS 

delete: 

else 

—SDVS 

delete: 

return  TRUE; 

—SDVS 

delete: 

end  if ; 

—SDVS 

delete: 

end  NEW_TM_DATA; 

PROCEDURE  RET_LATEST_CMDS 


—  PURPOSE:  To  provide  the  latest  40  serial  digital  commands 

received  from  CP  to  TH. COLLECT  for  reporting  in  the  next 
frame  of  the  housekeeping  telemetry. 

—  NOTES: 

—  CHANGE  HISTORY: 

11/11/91  B.  Na  Initial  Version 


—SDVS 

delete : 

procedure  !IET_LATEST_CMDS  (Latest_ 

—SDVS 

delete : 

Buf .Index 

:  INTEGER; 

—SDVS 

delete : 

Que.Index 

:  INTEGER; 

—SDVS 

delete: 

Temp.Read.Ptr 

:  INTEGER; 

—SDVS 

delete : 

Num.New.Cmds 

:  INTEGER; 

—SDVS 

delete : 

begin 

—SDVS 

delete: 

Temp.Read.Ptr 

:=  Read.Ptr; 

:  out  LATEST_CMD_TM_TYPE) 


—  Determine  the  number  of  the  latest  cmds  stored  in  queue 

—  and  not  reported  in  TM  previously 


— SDVS  delete:  Nuiii_Ne¥_Cads  :=  0; 


is 
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— SDVS  delete: 
— SDVS  delete: 


while  ( (Teiiip_Read_Ptr  /=  Write.Ptr)  and 

(Num_New_Cmds  <=  Latest_Cmds_Q_Size) )  loop 

— SDVS  delete:  Teiiip_Read_Ptr  :=  (Temp_Read_Ptr  mod  Latest_Cmds_Q_Size)  +  1; 

— SDVS  delete:  Ntun_New_Cmds  :=  Nuia_Hew_Cmds  +  1; 

— SDVS  delete:  end  loop; 

— SDVS  delete:  Latest_Cmd_TH. Fresh. Cmd_Co\int  :=  Hum.New.Cmds ; 


— SDVS  delete:  if  (Temp.Read.Ptr  /=  0)  and  (Num.new.cmds  <=  Max.Num.Latest.Cmds)  then 

— SDVS  delete:  Que.Index  :=  Temp.Read.Ptr; 

— SDVS  delete:  for  Buf. Index  in  1 . .Max.Num.Latest.Cmds  loop 

— SDVS  delete:  Latest.Cmd.TM. Cmd.Buf (Buf. Index)  :=  Latest.Cmds.Q (Que.Index) ; 

— SDVS  delete:  Latest.Cmd.TM. Status.Buf (Buf .Index)  :=  Latest.Status.Q (Que.Index) ; 

— SDVS  delete:  Que.Index  :=  Que.Index  -  1; 

— SDVS  delete:  if  Que.Index  <=  0  then 

— SDVS  delete:  Que.Index  :=  Latest.Cmds.Q.Size; 

— SDVS  delete:  end  if; 

— SDVS  delete:  end  loop; 

— SDVS  delete:  Read.Ptr  :=  Temp.Read.Ptr; 

— SDVS  delete:  elsif  (Temp.Read.Ptr  /=  0)  then  —  if  number  of  latest  cmds  is 

—  more  than  40 

— SDVS  delete:  Temp.Read.Ptr  :=  Read.Ptr; 

— SDVS  delete:  for  Buf.Index  in  reverse  1 . .Max.Num.Latest.Cmds  loop 

— SDVS  delete:  Temp.Read.Ptr  :=  (Temp.Read.Ptr  mod  Latest.Cmds.Q.Size)  +  1; 

— SDVS  delete:  Latest.Cmd.TM. Cmd.Buf (Buf.Index)  :=  Lat est. Cmds .Q (Temp.Read.Ptr) ; 

— SDVS  delete:  Latest.Cmd.TM. Status.Buf (Buf.Index)  :=  Latest.Status.Q (Temp.Read.Ptr) ; 

—SDVS  delete: 

— SDVS  delete:  end  loop; 

— SDVS  delete:  Read.Ptr  :=  Temp.Read.Ptr; 

— SDVS  delete:  else  —  if  Read.Ptr  =  0,  no  cmd  is  received  since  power  up 

—  Set  to  something  to  avoid  exception. 

— SDVS  delete:  for  Buf.Index  in  1 .  .Max.Nvua.Latest.Cmds  loop 

— SDVS  delete:  Latest.Cmd.TM. Cmd.Buf (Buf.Index)  :=  Latest.Cmds.Q (Buf.Index) ; 

— SDVS  delete:  Latest.Cmd.TM. Status.Buf (Buf.Index)  :=  Latest.Status.Q (Buf.Index) ; 

— SDVS  delete:  end  loop; 

— SDVS  delete:  end  if; 


—  Note:  Cmd.Total  is  not  always  consistent/correlated  with 
Rejected.Cmd.Count  because  increase  Cmd.Total  by 
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CBd_Count  and  later  individually  process  cuds  to  see 
if  should  increment  Rejected_Cmd_Count. 

— SDVS  delete:  Latest_CMd_TM. Cmd.Total  :=  APP_MSGS .Cmd_Total ; 

— SDVS  delete:  Latest_Cmd_TM. Rejected. Cmd_Count  :=  APP.MSGS .Rejected. Cmd.Count ; 

—SDVS  delete:  Latest. Cmd.TM. lO.Status.Word  :=  APP.MSGS.IO.Status.Word; 

—SDVS  delete:  Latest.Cmd.TM. FIFO.Mot.Empty.Count  :=  APP .MSGS .FIFO .Not. Empty. Count ; 

— SDVS  delete:  Latest.Cmd.TM. Saved.Sat.Subsys.Config  :=  APP .MSGS. Saved.Sat.Subsys.Config; 

—SDVS  delete:  end  RET.LATEST.CMDS ; 


PROCEDURE  RET.INIT_CMD.LAST.APP.MSG 


—  PURPOSE:  To  provide  the  starting  serial  digital  command 

corresponding  to  the  last  application  message  to  TM. COLLECT 
for  reporting  in  the  next  frame  of  the  housekeeping  telemetry. 

—  NOTES: 

—  CHANGE  HISTORY: 

11/11/91  B.  Na  Initial  Version 


—SDVS  delete:  procedure  RET.INIT.CHD.LAST.APP.MSG 

—SDVS  delete:  (Last.App.Msg.TM  :  out  LAST.APP.MSG.TM.TYPE)  is 

— SDVS  delete:  begin 

— SDVS  delete:  Last.App.Msg.TM. Starting.Cmd  :=  APP .MSGS . Cmd.Last.App.Msg; 

—SDVS  delete:  Last.App.Msg.TM.  Cmd.Total  :=  APP  .MSGS .  Cmd.Total ; 

— SDVS  delete:  Last.App.Msg.TM. Rejected. Cmd.Count  :=  APP.MSGS.Rejected.Cmd.Count; 

— SDVS  delete:  Last.App.Msg.TM. FIFO .Not.Empty.Count  :=  APP.MSGS . FIFO.Not.Empty.Count ; 

—SDVS  delete:  Last.App.Msg.TM. lO.Status.Word  :=  APP.MSGS.IO.Status.Word; 

— SDVS  delete:  Last.App.Msg.TM. Saved.Sat.Subsys.Config  :=  APP.MSGS. Saved.Sat.Subsys.Config; 

—SDVS  delete:  end  RET.INIT.CMD.UST.APP.MSG ; 

— SDVS  comment:  The  function  RET.MSG.LENGTH  returns  the  length  of  the  next  block 
— SDVS  comment:  of  commands  in  the  input  based  on  the  message  identifier.  We 
— SDVS  comment:  added  it  for  the  scheduler. 

function  RET.MSG.LENGTH (Msg.Id:  GLOBAL.TYPES . BYTE)  return  INTEGER  is  —SDVS  add 
begin  — SDVS  add 

return  Cmds_For_Data_Struc(CONV_BYTE_TO_INTEGER(Msg_Id)) ;  — SDVS  add 
end  RET.MSG.LENGTH;  —SDVS  add 


INITIATE_BUILD 
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—  PURPOSE  :  This  procedure  initiates  the  application  message 

building  when  called  by  APP_MSGS. BUILD.  The  rules  for 
building  an  app_insg  to  verify  the  checksum  are  as  follows: 

1)  app_msg(l)  is  blank.  This  is  so  that  after  the 

checksum  is  verified,  the  header  for  RAM_mem_Load, 
EEPROH_mem_load,  and  Mem_Dump_X_Frames  can  be 
easily  modified  to  store  the  address  in  32  bits. 

2)  app_msg(2)  contains  the  initial  data  op-code  for 
the  application  msg. 

3)  if  more  than  one  command  is  required  for  an  application 
message  then  the  data  associated  with  the  checksum  is 
stored  in  app_msg(3) . . app_msg(n) .  App_msg(n)  is  a 
complete  word.  There  is  not  a  spare  byte  at  the  end. 
App_msg(n+1)  contains  the  checksum. 

—  EXCEPTIONS: 

—  NOTES: 

—  CHANGE  HISTORY: 

10/16/91  B.  Na  Initial  Version 

mm/dd/yy  B.  Na  Build  2  Changes 


procedure  INITIATE.BUILD  (Staxt_Op_Code  :  in  GLOBAL.TYPES . BYTE ; 

Cmd_Buf_Index  :  in  INTEGER)  is 

—  Used  to  hold  intermediate  values  for  bitwise  operations. 

Temp_word  :  GLOBAL_TYPES . WORD ; 

High_Byte_Word  :  GLOB AL.TYPES. WORD; 

Low_Byte_Word  :  GLOB AL.TYPES . WORD ; 

Data_Struc_ID_Found  :  BOOLEAN; 

Start_Build  :  BOOLEAN; 

Struc_ID_Index  :  INTEGER; 

—  Used  to  hold  intermediate  values  during  the  calcualtions  of  the 

—  number  of  commands  and  number  of  words  for  for  the  memory  load 

—  messages. 

X  :  INTEGER; 

Y  :  INTEGER; 

begin 

Start .Build  :=  False; 
case  Start.Op.Code  is 
when  Data.Struc.Load  => 
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—  See  Message  format  for  Group  1  commands  below. 

Data_Struc_ID_Found  :=  False; 

Struc_ID_Index  := 

CONV_BYTE_TD_INTEGER(Cad_Buf(CBd_Buf .Index) .Third.Byte) ; 

if  (Struc.ID.Index  <=  TRKING.DATA.STRUC .Hum.Data.Struc)  and 
(Struc.ID.Index  >  0)  then 

Cont.Cmd  Data.Load.Cmd; 

Num.Cmds.For.App.Msg  :=  Cmds.For.Data.StrucCStruc.ID.Index) ; 
Num.Words.For.App.Msg  :=  TRKIHG_DATA_STRUC.Words_For_Data_Struc( 

Struc.ID.Index)  +  1 ; 

—  The  look-up  table,  Cmds.For.Data.Struc,  holds  a  value  0 

—  0  if  the  corresponding  data  structure  does  not  exist, 
if  (Num.Cmds.For.App.Msg  /=  0)  then 

Data.Struc.ID.Found  :=  True; 

St art .Build  :=  True; 
end  if ; 
end  if ; 

if  (Data.Struc.ID.Found  =  False)  then 

Cmd.Status.Btif(Cmd.buf. index)  ;=  Invalid.Data.Struct.Msg.ID; 

—  Data.Struct.ID.Not.Found  =  13 
TM.DATA .MANAGE . REPaRT.SYSTEM.ERROR( 13) ; 

Rejected.Cmd.Count  := 

(Re j ected.Cmd.Count  +  1)  mod  Hax.Rejected.Cmd.Count ; 

end  if ; 


when  RAM.Mem.Load  I  EEPROM.Mem.Load  => 

—  See  message  format  for  Group  1  commands  below. 


—  X  is  the  number  of  load  data  words  specified  in  the  command. 
X  :=  CONV_BYTE.TO_INTEGER(Cmd.Buf (Cmd.buf .index). Second.Byte); 

—  Limit  the  number  of  load  data  words  to  75  here  to  prevent 

—  a  constraint  error  (App.Msg  is  defined  for  80  words) . 
if  (X  >  0)  and  (X  <=  75)  then 

Cont.Cmd  :=  Data.Load.Cmd; 

—  New  Method: 

Y  : =  2  +  2X  /  3  where  X  =  num  of  load  words ,  >  0 
Num.Cmds.For.App.Msg  :=  Y  if  remainder  =  0 
Num.Cmds.For.App.Msg  :=  Y  +  1  if  remainder  /=  0 

Y  :=  2  +  ((2  *  X  )/  3); 
if  (X  rem  3)  =  0  then 

Num.Cmds.For.App.Msg  :=  Y; 


120 


else 

Nvuii_Cmds_For_App_Msg  :=  Y  +  1; 
end  if ; 

Niim_Words_For_App_Hsg  :=  X  +  4; 

Start_Build  :=  True; 

else  —  Invalid  number  of  load  data  words. 

—  Invalid_Num_Of _Load_Data_Words  =  103 
TM.DATA .MANAGE . REP0RT_SYSTEM_ERR0R(103) ; 

Rejected_Cmd_Coimt  :  = 

(Rejected_Cmd_Co\mt  +  1)  mod  Max_Rejected_Cmd_Count ; 

end  if ; 

when  Set_RAM_Def _Tab_Entry  => 

—  COMING  SOON  or  maybe  never 
null; 


when  Prep_For_Long_Load  I  Sat_Subsys_Conf ig  I  irT_Control  => 

if  App_Msg_Counter  <  App_Msg_Q_Size  then 

—  Message  Format  For  Group  2  Commands 

+ - + - + - + - + - + - + - ^ - + - + - + - + - + - + - + - + - + 

—  1|0  0  0  0  0  0  0  0|  cmd  byte  1  without  parity  I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—  21/  /  /  /  /  /  /  /I  cmd  byte  2  I 

+ - + - + - + - + - + - + - H - + - + - + - + - + - + - + - + - + 

—  31/  /  /  /  /  /  /  /I  cmd  byte  4  I 

I////////////////I 

+ - + - + - ^ - + - ^ - 1 - 1. - + - + - + - H - + - + - K - K - K 


+ - + - + - + - K - + - + - + - ^ - + - 1. - + - + + - + - h - + 

—  80  1  n\im  of  msg  words  =  3  1 

— —  ^ - 4 - (■— — — — I-— 4-. — 4 - 4.__4— — 4— 4— -._4 

—  Note:  /  represents  bits  not  initialized, 
cmd  byte  3  is  not  used. 

—  Save  the  command  associated  with  the  last  application  message, 

—  so  it  can  be  reported  to  TM. 

Cmd_Last_App_Msg  : =  Cmd_Buf (Cmd_buf _index) ; 

Q_Tail  :=  (Q_Tail  mod  App_Msg_Q_Size)  +  1; 

— SDVS  delete  (2-dimensional  array):  App_Msg_Q(Q_Tail,  1)  := 
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— SDVS  delete  COHV_BYTE_TO_WORD(Start_ap_Code) ; 

App_Hsg_Q(Q_Tail)  (1)  :=  CONV_BYTE_TO_WORD(Start_Qp_Code)  ;  —SDVS  replace 


— SDVS  delete  (2-diaensional  array):  App_Msg_Q(Q_Tail,  2)  := 

— SDVS  delete  (2-di»ensional  array):  COHV_BYTE_TO_WORD(CMd_Buf (CBd_buf_index) .Second_Byte) ; 
App_Msg_Q(Q_Tail) (2)  :=  — SDVS  replace 

CDHV_BYTE_TD_¥ORD(Ciid_Buf  (Cmd_buf_indei)  .Second_Byte)  ;  — SDVS  replace 


— SDVS  delete  (2-di*ensional  array):  App_Msg_Q (Q_Tail ,  3)  := 

— SDVS  delete  (2-diiBensional  array):  CQHV_BYTE_TO_WORD(C*d_Buf  (C»d_buf_index)  .Fourth_Byte)  ; 
App_Msg_C!(Q_Tail)  (3)  :=  — SDVS  replace 

COHV_BYTE_TO_WORD(Cmd_Buf  (Cmd_buf_index)  .Fourth.Byte)  ;  —SDVS  replace 


— SDVS  delete  (2-diiiiensional  array):  App_Msg_Q(Q_Tail,  CMDS_TYPES . App_Msg_Max)  :=  3; 
App_Msg_Q(Q_Tail)  (CMDS_TYPES.App_Msg_Max)  :=  3;  —SDVS  replace 


—  XIO  RA.DSBL  disables  int. 

— SDVS  delete  (artclient) :  Artclient .Enter. Critical.Section; 

__  «*«  reminder  **♦ 

—  Check  assembly  to  make  sure  App_Msg_Counter  read  from  RAM 
—  (i.e.  current  value  of  App_Msg_Counter)  not  from  register. 

App_Msg_Counter  :=  App_Msg_Co\mter  +  1; 

—  XIO  RA.EHBL  enables  interrupt. 

— SDVS  delete  (artclient):  Artclient .Leave_Critical_Section; 

else  —  queue  is  full 

—  App_Msg_Q_Overflowed  =  17 

TM.DATA . MANAGE . REPORT. SYSTEM_ERRDR( 17) ; 

Rejected.Cmd.Count  := 

(Rejected.Cmd.Count  +  1)  mod  Max.Rejected.Cmd.Count ; 
Cmd.Status.Buf (Cmd.buf. index)  :=  App.Msg.Dropped; 

end  if ; 


when  Mem.Dump.X.Frames  => 

—  See  message  format  for  Group  1  commands  below. 

Cont.Cmd  :=  Ext.Dump.X.Frames ; 

Num.Cmds.For.App.Msg  :=  2; 

Nxus.Words.For.App.Hsg  :=  4; 

St art .Build  :=  True; 
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when  No_op_Cmd  I  Clr .Timeout .Telltale  => 
if  App.Msg.Counter  <  App.Hsg.Q.Size  then 
—  Message  Format  For  Group  3  Commands 


- +. 

— 

-+ — + — +- 

- + — 

.+ — 

_+ — 

1 

+ 

1 

1 

1 

+ 

1 

1 

1 

+ 

1 

1 

1 

+ 

1 

1 

1 

+ 

1 

1 

1 

+ 

1 

+ 

1 

+ 

0 

0 

0  0 

0  0 

0 

0 

1  cmd  byte  1  without  parity 

/ 

/ 

/  / 

/  / 

/ 

/ 

//////// 

- 1.. 

■+ - + - +■ 

_ + _ 

.+ — 

-+ — 

-H - + - + - + - + - + - + - + - 

+ - + - + - + - + - + - + - 1 + - + - -I - + - + - + - + - + - + 

—  80  I  num  of  msg  words  =  1  I 

+ - + - + - + - + - + - + - + + - + - + - + - + - + - + - + - + 

—  Note:  /  represents  bits  not  initialized. 

cmd  byte  2,  3  and  4  are  not  used. 

—  Save  the  command  associated  with  the  last  application  message, 

—  so  it  can  be  reported  to  TH. 

Cmd.Last.App.Msg  :=  Cmd.Buf (Cmd.buf .index) ; 

Q.Tail  :=  (Q.Tail  mod  App.Hsg.Q.Size)  +  1; 

-SDVS  delete  (2-dimensional  array):  App_Msg_Q(Q_Tail,  1)  := 

-SDVS  delete  CONV.BYTE.TO.WORDCStart.Dp.Code) ; 

App.Hsg.Q (Q.Tail)  (1)  :=  C0NV.BYTE_T0_W0RD(Start_0p_Code)  ;  —SDVS  replace 


—  store  application  message  size  for  this  type  of  commands 

—  at  the  end  of  application  message  array 

-SDVS  delete  (2-dimensional  array):  App.Hsg.Q (Q.Tail,  CMDS.TYPES.App.Hsg.Mai)  :=  1 
App.Msg. Q (Q.Tail) (CMDS.TYPES.App.Msg.Max)  :=  1;  — SDVS  replace 

—  XIO  RA,DSBL  disables  int. 

-SDVS  delete  (artclient)  :  Artclient  .Enter. Criticcil.Section; 

—  ***  REMINDER  *** 

—  Check  assembly  to  make  sure  App.Msg.Counter  read  from  RAM 

—  (i.e.  current  value  of  App.Msg.Counter)  not  from  register. 

App.Msg.Counter  :=  App.Msg.Counter  +  1; 

-SDVS  delete  (artclient):  Artclient .Leave.Critical. Section;  —  XIO  RA,ENBL 

else  —  queue  is  full 

—  App.Msg.Q.Overflowed  =  17 

TM.DATA .MANAGE . REPORT. SYSTEH.ERR0R( 17) ; 

Rejected.Cmd.Count  := 

(Rejected.Cmd.Count  +  1)  mod  Max.Rejected.Cmd.Count ; 

Cmd.Status.Buf (Cmd.buf. index)  :=  App.Hsg_Dropped; 

end  if ; 
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when  Chg_Monitor_Loc 


=> 

—  See  Message  format  for  Group  1  conmaiids  below. 

Cont_CMd  :=  Ert_Chg_Mon_Loc ; 

NuB_CMds_For_App_Msg  9; 

NuM_Words_For_App_Msg  :=  14; 

Start_Build  True; 


when  Soft_Reset  => 

—  Message  Format  For  Group  4  Commands 


+ - 

1  0 

f- — 

0 

-+ — 

0 

0 

J. — 

0 

0 

h — 

0 

“+ - H 

0 

l. - + - + - + - + - + - + - + - + 

cmd  byte  1  without  parity  ! 

1  / 

+ - 

/ 

t- — 

/ 

_+ — 

/ 

/ 
L - 

/ 

/ 

1- — 

/ 

-+ - H 

////////I 

h - + - + - + - + - + - + - + - + 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—  80  1  num  of  msg  words  =  1  I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—  Mote:  /  represents  bits  not  initialized. 

cmd  byte  2,  3  and  4  are  not  used. 

—  Save  the  command  associated  with  the  last  application  message, 

—  so  it  can  be  reported  to  TM. 

Cmd_Last_App_Msg  :=  Cmd_Buf (Cnd_buf_indei) ; 

if  App_Msg_Counter  <  App_Msg_Q_Size  then 

Q_Tail  (C]_Tail  mod  App_Hsg_Q_Size)  +  1; 

— SDVS  delete  (2-dimensional  array):  App_Hsg_Q(Q_Tail ,  1)  := 

— SDVS  delete  CONV_BYTE_TO_tfDRD(Start_Op_Code) ; 

App_Msg_Q(Q_Tail)  (1)  :=  CONV_BYTE_TO_WORD(Start_Dp_Code)  ;  —SDVS  replace 

—  Store  application  message  size  for  this  type  of  commands 

—  at  the  end  of  application  message  array 

— SDVS  delete  (2-dimensional  array):  App_Hsg_Q(Q_Tail,  CMDS_TYPES.App_Msg_Max) 

— SDVS  delete  :=  1; 

App_Msg_Q(q_Tail)(CMDS_TYPES.App_Hsg_Max)  :=  1;  —SDVS  replace 

—  XID  RA.DSBL  disables  int. 

— SDVS  delete  (artclient) :  Artclient .Enter_Critical_Section; 

—  mm*  REMINDER  *** 

—  Check  assembly  to  make  sure  App_Msg_Coimter  read  from  RAM 

—  (i.e.  current  value  of  App_Msg_Counter)  not  from  register. 

App_Msg_Counter  :=  App_Msg_Counter  +  1; 
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-SDVS  delete  (artclient) : 


Ar t c 1 i ent . Leave_ Cr it ic al _ S e ct i on ; 


else 

—  FOR  SOFT  RESET,  IF  THERE  IS  NOT  ROOM,  MAKE  ROOM! 

-SDVS  delete  (2-diinensional  array):  App_Msg_Q (Q_Tail ,  1)  :  = 

-SDVS  delete  CONV_BYTE_TO_WDRD(Start_Op_Code) ; 

App_Msg_Q(Q_Tail)(l)  :=  CONV_BYTE_TO_WORD(Start_Op_Code)  ;  —SDVS  replace 

—  Store  application  message  size  for  this  type  of  commands 
—  at  the  end  of  application  message  array 
-SDVS  delete  (2-dimensional  array):  App_Msg_Q(Q_Tail,  CMDS_TYPES . App_Msg_Max)  :=  1 
App_Msg_Q(Q_Tail)  (CMDS .TYPES. App_Msg_Mar)  :=  1;  —SDVS  replace 

—  App.Hsg.Overnritten.Sys  =  15 
TM_DATA .MANAGE . REP0RT_SYSTEM_ERR0R(15) ; 

Cmd_Status_Buf (Cmd.buf .index)  :=  App.Msg.Overwritten; 

end  if ; 


when  others  => 

—  Starting.Cmd.Not.Valid  =  14 
TM.DATA . MANAGE . REPORT.SYSTEM.ERROR ( 14) ; 

Rejected.Cmd.Count  := 

( Re jected.Cmd. Count  +  1)  mod  Max.Rejected.Cmd.Count ; 
Cmd_Status_Buf(Cmd_buf .index)  :=  Invalid.Starting_Cmd; 

end  case;  —  Start.Op.Code 


if  Start.Build  then 

—  Message  Format  For  Group  1  Commands 

+ - + - + - + - + - + - + - + - + - H - + - ^ - + - + - + - + - + 

—  llOOOOOOOOOOOOOOOOl 

+ - + - + - + - + - + - + - + - h - H - + - + - + - + - + - h - + 

—  2|0  0  0  0  0  0  0  0|  cmd  byte  1  without  parity  1 

+ - H - + - + - h - + - + - + - h - + - H - + - ^ - + - + - + - + 

—  3  I  cmd  byte  2  I  cmd  byte  3  I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

—  4  I  cmd  byte  4  I  to  be  filled  by  continue.build  1 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

I  to  be  filled  by  continue  build  I 

+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 


+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

I  checksum  =  to  be  filled  by  continue  build  1 
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—  + - H - h - H - + - + - + - 1 - 1 - 1 - 1 - 1 - H - + - + - 1 - H 

—  80  I  niiB  of  msg  words  =  to  be  filled  by  continue  build  I 

+ - + - + - + - + - + - + - + - + - + - + - H - + - + - + - + - + 

App.Msgd)  :=  0; 

App_Msg(2)  —  C0NV_BYTE_Ta_W0RD(Start_0p_Code); 

—  join  Second_Byte  and  Third_Byte  and  store  in  App_Msg(3) 

Teiiip_word  C0NV_BYTE_T0_W0RD(Cnd_Buf  (Ciad_buf_inder) . Second_Byte) ; 

High_Byte_Word  SHIFT_LOGICAL_WORD(Temp_Bord,  8) ; 

Teiip_Word  :=  C0HV_BYTE_T0_W0RD(CBid_Buf  (Cmd_buf_index)  .Third_Byte) ; 

App_Msg(3)  :=  QR_WQRD(High_Byte_tford,  Temp_Word) ; 

TeiBp_¥ord  :=  C0NV_BYTE_TQ_W0RD(Cmd_Buf  (Cmd_buf_index)  .Fourth_Byte)  ; 

App_Msg(4)  :=  SHIFT_LOGICAL_WDRD(Temp_Bord,  8); 

—  Save  the  opcode  with  parity  to  be  included  in  Cmd_Last_App_Msg  which 

—  will  be  reported  to  TM. 

Starting_Cmd_With_Par  :=  Cmd_Buf(Cmd_buf .index) .First_Byte; 

—  First  of  the  multiple  commands  message  received. 

Cmds.Rcvd  ; =  1 ; 

—  Next  word  to  be  filled  by  Continue.Build. 

Word.Cntr  :=  4; 

Build. In.Progress  : =  True ; 

Start .Build  :=  False; 

end  if ;  —  start .build  =  true 


— SDVS  delete  (exception) :  exception 

— SDVS  delete  (exception) :  when  others  => 

— SDVS  delete  (exception) :  writestring("ibe  2") ; 

— SDVS  delete  (exception);  writeln; 


end  INITIATE .BUILD; 


CONTINUE.BUILD 


—  PURPOSE  :  This  procedure  continues  to  build  the  application 

message  for  the  serial  digital  command  whose  opcode 
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signals  the  continuation  of  the  last  starting  command. 


—  EXCEPTIONS: 

—  NOTES: 

—  CHANGE  HISTORY: 

10/16/91  B.  Na  Initial  Version 

mm/dd/yy  B.  Na  Build  2  Changes 


procedure  CONTINUE.BIIILD 

(Cont_0p_Code  :  in  GLOBAL .TYPES. BYTE; 
Cmd_Buf_Index  :  in  INTEGER)  is 


App_Msg_Checksum 
App_Msg_  St  art  _W or d 


:  GLOB AL.TYPES. WORD; 
:  INTEGER; 


Msg_Word_Index  :  INTEGER; 

Q_Word_ Index  :  INTEGER; 


—  Used  to  hold  intermediate  values  for  bitoise  operations. 
Temp .Word  :  GLOB AL.TYPES .WORD ; 

High_Byte_Word  :  GLOB AL.TYPES. WORD; 

Lov_Byte_Word  :  GLOB AL.TYPES. WORD; 

begin 

if  Cont_0p_Code  =  Cont.Cmd  then 
—  Continue  build  the  message, 
if  (Cmds.Rcvd  mod  2)  =  0  then 


—  Note:  1st  byte  of  a  command  is  op-code. 


+ - H - + 

—  Word_Cntr+l  I  2nd  byte  I  3rd  byte  I 

+ - + - + 

+2  I  4th  byte  I (will  be  filled  next) I 

+ - + - + 


Word.Cntr  :=  Word.Cntr  +  1; 

Temp.Word  :=  C0NV_BYTE_T0_W0RD(Cmd_Buf(Cmd_Buf .Index) .Second.Byte) ; 

High.Byte.Word  :=  SHIFT_L0GICAL.W0RD(Temp_Word,  8); 

Low.Byte.Word  :=  C0NV.BYTE_T0_W0RD(Cmd.Buf(Cmd.Buf .Index) .Third.Byte) ; 
App.MsgCWord.Cntr)  :=  OR.WORD (High.Byte.Word,  Low.Byte.Word); 

Word.Cntr  :=  Word.Cntr  +  1; 

Temp.Word  :=  C0HV.BYTE.T0.W0RD(Cmd.Buf(Cmd_Buf .Index) .Fourth.Byte) ; 
App_Msg(Word_Cntr)  :=  SHIFT.LOGICAL.WORD (Temp.Word,  8); 
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else  —  (Cmds_Rcvd  nod  2)  /=  0 


—  Note:  1st  byte  of  a  conmand  is  op-code. 


+ - + - + 

—  Word_Ctr+0  I  (already  filled)  |  2nd  byte  I 

+ - + - + 

+1  I  3rd  byte  I  4th  byte  I 

+ - + - + 

Low_Byte_Word  :=  CONV_BYTE_TO_WORD(Gmd_Buf  (CiBd_Buf_Index)  .Second_Byte)  ; 

App_Msg(Word_Cntr)  :=  OR_WORD(App_Msg(Word_Cntr) ,  Low_Byte_Word) ; 

Word_Cntr  :=  Word_Cntr  +  1; 

Temp.Word  ;=  CQNV_BYTE_TO_WORD(Cmd_Buf  (Cmd_Buf_Index)  .Third_B5rte)  ; 

High_Byte_Word  :=  SHIFT_LQGICAL_WORD(Teiiip_Word,  8); 

Lo¥_Byte_Word  :=  CONV_BYTE_TO_WORD(Cmd_Buf (CMd_Buf_Index) .Fourth_Byte) ; 

App_Msg(Word_Cntr)  :=  DR_WORD(High_Byte_Word,  LoB_Byte_Word) ; 

end  if ; 

C*ds_Rcvd  :  »=  C«ds_Rcvd  +  1 ; 


if  Cmds.Rcvd  =  Nuii_Ciids_For_App_Msg  then 

—  1)  Check  checksuBi  (i.e.  validate  msg)  . 

—  2) If  good  checksum  then: 

a)  If  room  in  Queue,  then  store  msg  in  App_Msg_Q. 

b)  Else,  report  system  error  and  flag  app_msg_ dropped. 

—  3)Elseif  bad  checksum  report  with  cmd  status. 

—  4) Reset  build_in_progress  flag. 

App_Msg_ Checksum  :=  0; 

—  To  verify  the  checksum,  bytes  are  stored  in  App_Msg  with  App_Msg(l) 

—  blank,  App_Msg(2)  containing  the  Data  op-code  for  the  first  cmd 

—  associated  with  the  App_Msg.  Data  associated  with  the  checksum 

—  for  the  App_Msg  starts  at  App_Msg(3).  Num_Words_For_App_Msg  does 

—  not  include  the  checksum  location. 


for  Msg_Word_Index  in  3 . . Num_Words_For_App_Msg  loop 

App_Msg_Checksxnii  :=  X0R_¥DRD  (App_Hsg_Checksum, 

App_Msg(Hsg_Word_Indei) ) ; 

end  loop; 

— @  after_checksum_calculation  — SDVS  add 

if  App_Msg_ Checksum  =  App_Msg(Num_Words_For_App_Hsg  +  1)  then 
—  Checksum  good! 
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if  App_Msg_Counter  <  App_Hsg_Q_Size  then 


—  Queue  is  not  full . 

App_Msg_Start_Word  :=  2; 

if  (C0NV_¥0RD_TQ_BYTE(App_Msg(2))  =  RAM_Mem_Load)  or 
(CaNV_W0RD_T0_BYTE(App_Hsg(2))  =  EEPROH_Mem_Load)  or 
(C0NV_¥DRD_T0_BYTE(App_Hsg(2))  =  Meiii_Dujiip_X_Fraines)  then 

—  If  memory  load  or  dump  then  convert 

(from  this  format) 

+ - + - + 

—  1  I  0  I  0  1 

+ - + - + 

—  2  I  0  I  opcode  I 

+ - + - + 

—  3  i  2nd  byte  I  3rd  byte  I 

+ - + - + 

—  4  I  4th  byte  I  I 

+ - + - + 

App_Hsg(l)  :=  App_Msg(2) ; 

SDVS  delete  (hex);  High_Byte_¥ord  :=  AND_¥0RD(App_Hsg(3) ,16#FF00#) j 

High_Byte_¥ord  :=  AND_¥QRD(App_Msg(3) ,65280) ;  — SDVS  replace 

App_Hsg(2)  :=  SHIFT_LOGICAL_¥ORD(High_Byte_¥ord,  -8); 

SDVS  delete  (hex):  Low_Byte_¥ord  :=  AND_¥0RD(App_Msg(3) , 16#00FF#) ; 

Low_Byte_¥ord  :=  AND_¥0RD(App_Msg(3) ,255) ;  — SDVS  replace 

App_Msg(3)  :=  Low_Byte_¥ord; 

App_Msg_Start_¥ord  :=  1; 

end  if ; 

—  The  message  has  been  built.  Nov  store  it  in  the  queue 

—  if  the  queue  is  not  full. 

Q_Tail  :=  (Q_Tail  mod  App_Hsg_Q_Size)  +  1; 

—  To  include  checksum  at  the  end  of  the  message 
NTim_¥ords_For_App_Msg  :=  Num_¥ords_For_App_Hsg  +  1; 

Q_¥ord_Index  :=  0; 

—  Copy  from  message  buffer  to  queue 

for  Hsg_¥ord_Index  in  App_Msg_Start_¥ord. .Num_¥ords_For_App_Msg  loop 
Q_¥ord_Index  :=  Q_¥ord_Index  +  1; 

SDVS  delete  (2-dimensional  array):  App_Msg_Q(Q_Tail,  Q_¥ord_Index)  := 

SDVS  delete  App_Msg(Msg_¥ord_Index) ; 

App_Hsg_Q(Q_Tail) (Q_¥ord_Index)  := 


to  (this  format) 


- +. 

0  1 

opcode 

0  1 

2nd  byte 

0  1 

3rd  byte 

4th  byte  I 
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end  loop; 


App_Msg(Msg_Word_Indei)  ;  — SDVS  replace 


—  Source 

Target 

—  Words 


—  XIO  RA.DSBL  disables  interrupt.  Programmers  should  ensure 

—  that  exceptions  do  not  cause  calls  to  Leave_Critical_Section 

—  to  be  missed.  Refer  to  page  8-21  of  the  Tartan  manual. 

— SDVS  delete  (artclient) :  Artclient .Enter_Critical_Section; 

—  m**  REMINDER 

—  Check  assembly  to  make  sure  App_Msg_Counter  read  from  RAM 

—  (i.e.  current  value  of  App_Msg_Counter)  not  from  register. 

App_Msg_Counter  :=  App_Msg_Counter  +  1; 

—  XIO  RA.EMBL  enables  int. 

— SDVS  delete  (artclient):  Artclient .Leave_Critical_Section; 

—  Save  the  latest  start  cmd  that  identifies  the  type  of 

—  applicaton  message  last  received.  This  will  be  collected 

—  by  TM. COLLECT  during  tracking  state. 

—  App_Msg  Format  (shown  only  first  3  1/2  words) 

for  the  following  cmds: 
RAM_Mem_Load , 
EEPROM_Mem_Load, 

for  other  cmds  Mem_Diunp_X_Frames . 


+ - + - +  + - + - + 

—  1  I  0  I  0  I  I  0  I  opcode  I 

+ - + - +  + - + - + 

—  2  1  0  1  opcode  I  1  0  I  2nd  byte  I 

+ - + - +  + - + - + 

—  3  I  2nd  byte  1  3rd  byte  I  I  0  I  3rd  byte  I 

+ - + - +  + - + - + 

—  4  I  4th  byte  |  I  I  4th  byte  1  I 

+ - + - +  + - + - + 


Cmd_Last_App_Msg.First_Byte  :=  Starting_Cmd_¥ith_Par; 

if  App_Msg_Start_Word  =  1  then  —  For  memory  load  or  dump  message 

—  Second_Byte  is  App_Msg(2) .Low_Byte; 

Cmd_Last_App_Msg.Second_Byte  :=  CONV_WORD_TO_BYTE(App_Msg(2) ) ; 
else  —  All  other  message 

—  Second_Byte  is  App_Msg(2) .High_Byte; 

Temp.Word  :=  SHIFT_L0GICAL_W0RD(App_Msg(3) ,  -8); 
Cmd_Last_App_Msg.Second_Byte  :=  CONV_WORD_TD_BYTE(Temp_Word) ; 


—  Store  the  size  of  this  application  message  at  the  bottom 

—  so  that  MANAGE_MSG_RETRIEVAL  can  retrieve  the  exact  number 

—  of  words  for  this  message. 

—SDVS  delete  (1750A)  MEMDRY_MANAGER.  CQNV_TYPE 

— SDVS  delete  (1750A)  (Cl_Word_Index ’ address , 

—SDVS  delete  (1750A  App_Msg_Q(Q_Tail,  CMDS.TYPES .App_Msg_Hax) ’address ,  — 
—SDVS  delete  (1750A  1); 

App_Msg_Q(Q_Tail) (CMDS_TYPES.App_Msg_Max)  :=  — SDVS  replace 
GLOBAL_TYPES.WDRD(Q_Word_Index);  —SDVS  replace 
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end  if ; 


— SDVS 
—SDVS 
—SDVS 
—SDVS 
—SDVS 
—SDVS 
—SDVS 
—SDVS 


—  Third_Byte  is  App_Msg(3) .Lon.Byte; 
comment:  The  assignment  statement  that  follows  can  not  be  executed  in  SDVS 
comment :  (the  result  of  its  execution  is  compiler  depended) ,  because 
comment:  the  result  of  using  unchecked  conversion  to  convert  App_Msg(3), 
comment:  which  is  a  "word"  with  value  possibly  greater  than  255,  to  a 
comment:  byte  is  unknown.  This  is  a  safeguard  that  SDVS  places  on  unchecked 
comment:  conversions.  The  authors  of  the  MSX  code  are  assuming  that  their 
comment:  compiler  will  execute  the  assignment  statement  by  assigning  to 
comment:  Cmd_Last_App_Msg . Third_Byte  the  lower  byte  of  App_Msg(3). 


—SDVS  delete:  Cmd_Last_App_Msg . Third_Byte  :=  C0NV_W0RD_TD_BYTE(App_Msg(3))  ; 

Cmd_Last_App_Msg.Third_Byte  := 

C0KV_W0RD_T0 .BYTE (AND_W0RD(App_Msg(3)  ,255))  ;  —SDVS  replace 


—  Fourth.Byte  is  App_Msg(4) .High.Byte; 

Temp.Word  :=  SHIFT_L0GICAL_WQRD(App_Msg(4) ,  -8); 
Cmd_Last_App_Msg.Fourth_Byte  :=  COHV.WORD.TO.BYTE (Temp.Word) ; 


else 


—  gets  time-tagged  in  TM.Data 

—  App.Msg.Q. Overflowed  =  17 

TM.DATA . MANAGE . REPQRT_SYSTEM_ERROR( 17) ; 
Cmd.Status.Buf(Cmd_Buf .Index)  :=  App.Msg.Dropped; 

Rejected.Cmd.Count  := 

(Reject ed.Cmd.Co'ont  +  1)  mod  Max.Rejected.Cmd.Count ; 


end  if ; 


else  —  Checksum  failed 
—  Checksum.Failed  =  18 
TM.DATA .MANAGE . REP0RT.SYSTEM.ERR0R(18) ; 

Rejected.Cmd.Count  := 

(Rejected.Cmd.Count  +  1)  mod  Max.Re jected.Cmd.Count ; 
Cmd.Status.Buf(Cmd.Buf. Index)  :=  Bad.Checksum; 
end  if ;  —  App.Msg. Checksum  good  or  bad 

Build.In.Progress  :=  False; 

end  if ;  —  Cmds.Rcvd  =  Num_Cmds.For.App.Msg 

else  —  if  Cmd_Buf(Cmd_Buf .Index) .Cont.Op.Code  /=  Cont.Cmd  then 

—  The  No-op  cmd  could  be  interspersed  in  another  cmd.  This 

—  is  because  of  the  prioritized  order  of  cmds  from  the  TP 

—  being  higher  than  delayed  cmds.  This  is  the  only  cmd  that 

—  can  be  interspersed. 

if  (Cont.Op.Code  =  No.op.Cmd)  then 

if  (App.Msg.Counter  <  App.Msg.Q.Size)  then 
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Q_Tail  :=  (Q_Tail  mod  App_Msg_Q_Size)  +  1; 

— SDVS  delete  (2-diBensional  array):  App_Msg_Q (Q_Tail ,  1)  := 

— SDVS  delete  CONV_BYTE_TD_WORD(Cont_Op_Code) ; 

App_Msg_Q(Q_Tail)  (1)  :=  CDNV_BYTE_TO_WORD(Cont_Dp_Code)  ;  —SDVS  replace 

—  store  application  message  size  for  this  type  of  commands 

—  at  the  end  of  application  message  array 

— SDVS  delete  (2-dimensional  array):  App_Hsg_Q (Q_Tail ,  CMDS.TYPES . App_Msg_Max) 

— SDVS  delete  :=  i 

App_Msg_Q(Q_Tail)  (CKDS .TYPES. App_Msg_Max)  :=1;  —SDVS  replace 

—  XID  RA.DSBL  disables  int. 

— SDVS  delete  (artclient) :  Artclient .Enter.Criticcd.Section; 

—  m**  REMINDER  *** 

—  Check  assembly  to  make  sure  App.Hsg.Counter  read  from  RAM 

—  (i.e.  current  value  of  App.Msg.Counter)  not  from  register. 

App.Hsg.Counter  :=  App.Msg.Counter  +  1; 

—  XID  RA.EHBL  enables  int. 

— SDVS  delete  (artclient):  Artclient .Leave. Critical. Section; 

Cmd_Last.App.Msg  :=  Cmd.Buf (Cmd.Buf .Index) ; 
else 

—  App.Msg.q.Overflowed  =  17 

TM.DATA . MANAGE . REPORT_SYSTEM_ERROR( 17) ; 

Cmd. St atus.Buf (Cmd.Buf .Index)  :=  App.Msg.Dropped; 

Rejected.Cmd.Count  := 

(Rejected.Cmd.Count  +  1)  mod  Max.Rejected.Cmd.Coimt ; 

end  if ; 

else  —  Cont.Op.Code  is  not  No.Op.Cmd 
—  Prior .Build.Flushed  =12 
TM.DATA . MANAGE . REPORT_SYSTEM_ERRGR( 12) ; 

Rejected.Cmd.Count  := 

(Rejected.Cmd.Count  +  1)  mod  Max.Rejected.Cmd.Coimt ; 

Cmd.Status.Buf (Cmd.Buf .Index)  :=  Flushed.Prior.Build ; 

Build.In.Progress  :=  False; 

end  if ; 

end  if;  —  build  in  progress  and  next.cmd  =  or  /=  Cont.Cmd 


— SDVS  delete  (exception) : 


exception 


— SDVS  delete  (exception) : 


when  others  => 


— SDVS  delete  (exception) : 
— SDVS  delete  (exception) : 


sritestring("cbe  2") ; 
writeln; 
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end  CONTINUE.BUILD; 

— *********************************+*********♦*♦***♦♦*****♦**************#**** 


begin 


— SDVS  delete  (TM) : 
— SDVS  delete  (TM) : 
—SDVS  delete  (TM)  : 
null; 


for  I  in  1 . .Latest_Cmds_Q_Size  loop 
Latest_Cmds_Q(I)  :=  Zero_Cmd; 
end  loop; 


— SDVS  delete  (exception) :  exception 

— SDVS  delete  (exception) :  nhen  tasking_error  => 

— SDVS  delete  (exception):  Britestring("apte  5"); 

— SDVS  delete  (exception) :  sriteln; 

—  App_Msgs_Pkg_Tasking_Exception  =  76 
—SDVS  delete  (exception):  TH_DATA. MANAGE. REP0RT_SYSTEM_ERRDR(76)  ; 

— SDVS  delete  (exception) :  when  others  => 


— SDVS  delete  (exception):  writestring ("ape  6"); 

— SDVS  delete  (exception) :  writeln; 

—  App_Msgs_Pkg_Exception  =  77 

—SDVS  delete  (exception):  TH_DATA. MANAGE. REP0RT_SySTEM_ERRDR(77) ; 


end  APP.MSGS; 


begin  — SDVS  add 
— a  loop_begin  — SDVS  add 

loop  — SDVS  add 

SERIAL_DIG_CMDS.CMD_IN_HANDLER;  —SDVS  add 

for  i  in  2  ..  APP_MSGS.RET_MSG_LENGTH(SERIAL_DIG_CMDS.RET_MSG_ID)  loop  —SDVS  add 
SERIAL_DIG_CMDS.CMD_IN_HANDLER;  —SDVS  add 
end  loop;  — SDVS  add 
APP.HSGS. BUILD;  —SDVS  add 
APP_MSGS.PROCESS_MSG;  —SDVS  add 
end  loop;  — SDVS  add 

end  MSX_PROGRAM_FINAL_ VERSION;  —SDVS  add 
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9  Appendix  B  -  The  Proofs 


9.1  Definitions,  etc.  used  in  the  main  proof 


;  Syntax:  Common-lisp;  Package:  USER;  Mode:  LISP  -*-"7,  ;  File  name 
:  /u/versys/msx/in±inite_sequence_data_structure_messages. def s 

; ; ;  This  file  contains  the  formulas,  macros  and  proofs  used  in  the  main  proof 
; ; ;  (found  in  file 

; ; ;  /u/versys/msx/infinite_sequence_data_structure_messages. proof) . 

;;;  This  file  is  for  the  most  part  organized  bottom-up:  that  is,  definitions, 
;;;  lemmas,  etc.  are  introduced  immediately  before  they  are  used.  The  major 
;;;  exception  to  this  is  the  first  section  which  contains  macros.  A  top-down 
; ; ;  explanation  of  main  proof  is  given  in  the  body  of  the  technical  report. 


9.1.1  Macros 


; ; ;  Macro  section 

;;  Macro  is. byte  is  a  predicate  which  is  true  if  x  is  between  0  and  255 
;;  inclusive,  false  otherwise. 

(defmacroo  is. byte 

"0  le  X  &  X  le  255" 

(x)  nil) 

;;  Macro  is. byte  is  a  predicate  which  is  true  if  x  is  between  0  and  65536 
;; inclusive,  false  otherwise. 

(defmacroo  is. word 

"0  le  X  &  X  le  65535" 

(x)  nil) 

; ;  Macro  mk.word  is  a  function  which  returns  the  value  of  a  word  whose 
; ;  high-order  bits  are  the  byte  a  and  whose  low-order  bits  are  the  byte  b. 

(defmacroo  mk.word 
"256  *  a  +  b" 

(a  b)  nil) 

; ;  Macro  all. high  is  a  predicate  which  returns  true  if  x  is  a  word  all  of 
;;  whose  low-order  bits  are  0,  false  otherwise. 

(defmacroo  all. high 

"0  le  X  &  X  le  65535  &  x  mod  256  =  0"  ;  The  is. word  macro  is  not  used 
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(x)  nil) 


;  here  as  SDVS  does  not  currently 
;  handle  nested  macros 


;;  Macro  all. low  is  a  predicate  which  returns  true  if  x  is  a  word  all  of  whose 

;;  low-order  bits  are  0,  false  otherwise. 

(defmacroo  all. low 
"0  le  X  fc  X  le  255" 

(i)  nil) 

; ;  Macro  high. bits  is  a  function  whose  value  is  the  high-order  bits  of  a  word. 

(defmacroo  high. bits 
"x  /  256" 

(x)  nil) 

;;  Macro  low. bits  is  a  function  whose  value  is  the  low-order  bits  of  a  word. 

(defmacroo  low. bits 
"x  mod  256" 

(x)  nil) 


9,1.2  Timing  proofs 


; ; ;  Proofs  used  for  timing.  These  proofs  are  used  to  give  the  date  at  various  points 
;;;  in  the  main  proof  if  the  variable  timing  is  set  to  true. 

;;  Proof  printdate  prints  the  date  if  the  timing  flag  is  true,  does  nothing  otherwise. 

(defproof  printdate.if .wanted 
"(if  timing 

then  printdate)") 

; ; Proof  printdate  simply  prints  the  date 

(defproof  printdate 
"(date)") 


9,1.3  Formulas  used  in  the  precondition 


; ; ;  The  following  section  contains  formulas  used  in  the  precondition 

;;;  of  the  main  state  delta  (inf inite.sequence.data.structure.messages . sd) . 

; ; ;  The  following  formulas  (which  are  accompanied  below  by  their 
; ; ;  proofs)  are  included  in  the  precondition  to  avoid  re-proving  for 
; ; ;  each  run  with  a  different  step.case. proof 
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;;;  The  state  deltas  input_places_disjoint.sd  and 
;;;  output_places_disjoint . sd  are  used  in  the  step  case  to  prove 
; ; ;  that  the  input  and  output  places  associated  with  the  nth  message  are 
;;;  disjoint  from  the  places  mentioned  in  the  output  condition  (i.e.,  those 
; ; ;  associated  with  the  xth  message) . 

; ;  State  delta  input_places_disjoint .sd  is  applied  in  the  n  It  x  case  in  the 

; ;  step  case  of  the  induction  so  that  the  prover  is  able  to  deduce  that  the  input 

; ;  places  for  the  nth  message  are  disjoint  from  the  input  places  for  the  xth  message. 

(defsd  input _places_dis joint .sd 

" [sd  pre:  (  formula (msg_input _begins_at_def inition) ,n  ge  1,  n  It  x, 

formula(msg_in_lh_ definition) ,f ormula(allowed_message_ids) ) 
post:  (msg_input_begins_at(n)  +  msg_in_lh(n)  -  1 
It  msg_input_begins_at(x))]") 

;;  Proof  input_places_dis joint .proof  is  the  proof  of  input _places_disjoint .sd. 

(def proof  input_places_dis j  oint . proof 
"(setflag  traceflag  on, 

comment  \  "Beginning  interpretation  of  input_places_disj oint .proof .. .  \  ", 
setflag  traceflag  off , 

interpret  printdate_if .wanted, 

;  The  proof  is  a  fairly  straightforward  induction  on  n  -  x 

natural  induction  on:  k 

formulas:  (forall  x  ((n  ge  1  &  n  It  x)  & 

k  =  I  -  (n  +  1) 

— >  msg_input_begins_at (n) 

+  (msg_in_lh(n)-l) 

It  msg_input_begins_at ( (n  + 

k)  + 

1))) 

base  proof : 

(  proveby instantiation 

using:  msg_in_lh_ def  inition 
substitutions:  (x=n) , 
pr o veby inst  ant iat ion 

using :  msg_input_begins_at_def inition 
substitutions:  (x=n  +  1), 
close) 

step  proof : 

(letq  induct_hyp  =  q(l), 
pro vebyinstant iat ion 

using:  msg_ input .begins. at.def inition 
substitutions:  (i=(n  +  k)  +2), 
pro vebyinstant iat ion 

using:  msg_in_lh_def inition 
substitutions:  (x=(n  +  k)  +  1) , 
pr o vebyinst  ant iat ion 
using:  induct. hyp 
substitutions:  (x=(n  +  k)  +  1) , 
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pr OTcbyinst ant iat ion 

using:  allo¥ed_message_ids 
substitutions:  (x=(n  +  k)  +  1) , 

close) , 

provebyinstantiation 
using:  q(l) 

substitutions:  (k=x  -  (n  +  1)), 
enotice  x  -  (n  +  1)  ge  0, 
notice 

X  -  (n  +  1)  ge  0 

— >  forall  X  ((n  ge  1  i:  n  It  x)  k 

X  -  (n  +  1)  =  X  -  (n  +  1) 

— >  iiisg_input_begins_at(n)  +  (iBsg_in_lh(n)-l) 

It  Bsg_input_begins_at((n  + 

(x  -  (n  + 

1)))  + 

D), 

notice 

forall  X  ((n  ge  1  &  n  It  x)  fe 

X  -  (n  +  1)  =  X  -  (n  +  1) 

— >  msg_input_begins_at(n)  +  (msg_in_lb(n)-l) 

It  msg_input_begins_at ( (n  + 

(x  -  (n  +  1)))  + 

D), 

pr 0 veby inst  ant iat ion 
using:  q(l) 
substitutions:  (x=x) , 

interpret  printdate_if .wanted, 

setflag  traceflag  on, 
comient 

\  "Finished  with  interpretation  of  input_places_disjoint .proof .. .  \  ", 
setflag  traceflag  off , 
close) ") 

;;  Proof  separate_input_places  simply  applies  input _places_disjoint.sd. 

(defproof  separate.input .places 
"(setflag  traceflag  on, 

coament  \  "Beginning  interpretation  of  separate.input.places . . .  \  ", 
setflag  traceflag  off, 

interpret  printdate. if .wanted, 

apply  input.places.disjoint .sd, 

interpret  printdate.if .wanted, 

setflag  traceflag  on, 

comment  \  "Finished  with  interpretation  of  separate.input.places...  \  ", 
setflag  traceflag  off)") 

;;  State  delta  output.places.disjoint . sd  is  applied  in  the  n  It  x  case  in  the 
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; ;  step  case  of  the  induction  so  that  the  proven  is  able  to  deduce  that  the 
;  ;  output  places  for  the  nth  message  aire  disjoint  from  the  output  places  for 
;;  the  xth  message. 

(defsd  output_places_disjoint . sd 

" [sd  pre:  (  formula (msg_output_begins_at_definition) ,n  ge  1,  n  It  x, 

formula(msg_out_lh_ definition) ,f ormula(allowed_message_ids) ) 
post:  (msg_output_begins_at(n)  +  msg_out_lh(n)  -  1 
It  msg_output_begins_at(x))] ") 

;;  Proof  output_places_disjoint .proof  is  the  proof  of  output _places_dis j oint . sd . 

(def proof  output _places_dis joint .proof 
"(setflag  traceflag  on, 

comment  \  "Beginning  interpretation  of  output_places_disj oint .proof .. .  \  ", 

setflag  traceflag  off , 

interpret  printdate_if _wanted, 

;  Again,  the  proof  is  a  fairly  straightforward  induction  on  n  -  r 

natural  induction  on:  k 

formulas:  (forall  x  ((n  ge  1  &  n  It  x)  ft 

k  =  x-  (n+  1) 

— >  msg_output_begins_at (n) 

+  (msg_out_lh(n)-l) 

It  msg_output_begins_at ( (n  + 

k)  + 
1))) 

base  proof : 

(  provebyinstantiation 

using:  msg_out_lh_def inition 
subst itut  ions :  (x=n) , 
pr o veby inst  ant iat ion 

using :  msg_output_begins_at_def inition 
substitutions:  (x=n  +  1), 
close) 

step  proof : 

(letq  induct _hyp  =  q(l), 
pro veby inst  ant iat ion 

using :  msg_output_begins_at_def inition 
substitutions:  (x=(n  +  k)  +2), 
provebyinstantiation 

using:  msg_out_lh_def inition 
substitutions:  (x=(n  +  k)  +1), 
provebyinstantiation 
using:  induct_hyp 
substitutions:  (x=(n  +  k)  +  1) , 
provebyinstantiation 

using :  allowed_message_ids 
substitutions:  (x=(n  +  k)  +  1) , 
close) , 

pro veby inst  ant iat ion 
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using:  q(l) 

substitutions:  (k=x  -  (n  +  D), 
enotice  x  -  (n  +  1)  ge  0, 
notice 

X  -  (n  +  1)  ge  0 

— >  forall  X  ((n  ge  1  I:  n  It  x)  k 

X  -  (n  +  1)  =  X  -  (n  +  1) 

— >  iiisg_output_begins_at (n)  +  (]Bsg_out_lh(n)-l) 

It  msg_output_begins_at((n  + 

(x  -  (n  + 

1)))  + 

D), 

notice 

forall  X  ((n  ge  1  &  n  It  x)  & 

X  -  (n  +  1)  =  X  -  (n  +  1) 

— >  iBsg_ output _begins_at(n)  +  (msg_out_lh(n)-l) 

It  Bsg_output_begins_at((n  + 

(x  -  (n  +  1)))  + 

D). 

pro vebyinst ant iat ion 
using:  q(l) 
substitutions:  (x=x)  , 

interpret  printdate_if _wanted, 

setflag  traceflag  on, 
comment 

\  "Finished  with  interpretation  of  output _places_dis joint. proof .. .  \  ", 
setflag  traceflag  off, 
close) ") 

;;  Proof  separate_input_places  simply  applies  input_places_disjoint .sd. 

(defproof  separate_output_places 
"(setflag  traceflag  on, 

comment  \  "Beginning  interpretation  of  separate_output_places . . .  \  ", 
setflag  traceflag  off, 

interpret  printdate_if _wanted, 

apply  output_places_disjoint . sd, 

interpret  printdate_if .wanted, 

setflag  traceflag  on, 

comment  \  "Finished  with  interpretation  of  separate.output.places. . .  \  ", 
setflag  traceflag  off)") 

;;  State  delta  finale. sd  is  used  after  the  induction  and  allows  the  main 
; ;  proof  to  be  run  without  using  EKL. 

(defsd  f inale. sd 

"[sd  pre:  (x  +  1  =  x  +  1 
— >  (x  ge  1 

— >  forall  z  (1  le  z  &  z  le  msg.out.lhCx) 
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— >  . stdout 

[msg_output_begins_at (x)  + 

(z  -  1)] 

=  mk.Bord 
( .stdin 

[iiisg_input_begins_at(x)  + 
(8  *  z  -  5)  /  3]  . 

.stdin 

[msg_input_begins_at (x)  + 
(8  *  z  -  1)  /  3])))) 

post:  (x  ge  1 

— >  forall  z  (1  le  z  &  z  le  msg_out_lh(x) 

— >  .stdout 

[msg_ output _begins_at(x)  +  (z  -  1)] 

=  mk.oord 
( . stdin 

[iiisg_input_begins_at  (x)  + 

(8  *  z  -  5)  /  3]  , 

.stdin 

[msg_input_begins_at(x)  + 

(8  »  z  -  1)  /  3])))]") 

;;  Proof  finale. proof  is  the  (completely  automatic)  proof  of  finale. sd. 

(def proof  finale. proof 
"(quantification  on, 
prove  f inale. sd 
proof:  )") 

; ; ;  The  rest  of  the  formulas  in  this  section  specify  that  the  input  is 
; ; ;  correct . 

;;  Formula  allowed_message_ids  states  which  message  ids  are  allowed  (i.e.,  are 
; ;  actually  legitimate  message  ids  for  data-structure  messages. 


(defformula  allowed_message_ids 

"forall  X  ((x  ge  1)  — >  msg_id(x) 
or  msg_id(x) 
or  msg_id(x) 
or  msg_id(x) 
or  msg_id(x) 
or  msg_id(i) 
or  msg_id(x) 
or  msg_id(x) 
or  msg_id(x) 
or  msg_id(x) 
or  msg_id(x) 
or  msg_id(x) 
or  msg_id(x) 
or  msg_id(x) 
or  msg_id(x) 
or  msg_id(x) 
or  msg_id(x) 
or  msg_id(x) 
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or 

msg_id(x) 

19 

or 

Bsg_id(x) 

= 

20 

or 

msg_id(x) 

_ 

21 

or 

msg_id(x) 

22 

or 

msg_id(x) 

= 

23 

or 

msg_id(x) 

24 

or 

msg_id(x) 

= 

25 

or 

msg_id(x) 

= 

26 

or 

msg_id(x) 

= 

27 

or 

msg_id(x) 

28 

or 

msg_id(x) 

= 

29 

or 

msg_id(x) 

50 

or 

msg_id(x) 

= 

51 

or 

Bsg_id(x) 

= 

52 

or 

BSg_id(x) 

= 

53 

or 

msg_id(x) 

= 

54 

or 

msg_id(x) 

= 

55 

or 

msg_id(x) 

= 

56 

or 

msg_id(x) 

= 

57 

or 

msg_id(i) 

= 

58 

or 

msg_id(x) 

59 

or 

msg_id(x) 

= 

60 

or 

msg_id(x) 

= 

61 

or 

msg_id(x) 

= 

62 

or 

msg_id(x) 

63 

or 

msg_id(x) 

= 

64 

or 

msg_id(x) 

= 

65 

or 

BSg_id(x) 

= 

66 

or 

msg_id(x) 

S 

67 

or 

msg_id(x) 

3= 

80 

or 

msg_id(x) 

= 

81 

or 

msg_id(i) 

= 

82 

or 

msg_id(x) 

= 

83 

or 

Bsg_id(x) 

= 

84 

or 

msg_id(x) 

85 

or 

msg_id(x) 

= 

86 

or 

msg_id(x) 

= 

87 

or 

msg_id(x) 

= 

88 

or 

msg_id(x) 

= 

89 

or 

msg_id(x) 

=: 

90 

or 

msg_id(x) 

91 

or 

msg_id(x) 

= 

92 

or 

msg_id(x) 

= 

93)") 

Formula  msg_in_lh_definition  defines  the  function  Bsg_in_lh. 

This  function  gives  the  nxunber  of  bytes  of  input  for  a  message.  N.B:  The  values 
of  this  function  are  four  times  as  large  as  the  values  in  the 
specification,  as  there  the  number  of  commands  rather  than  the  number  of 
bytes  is  used. 


(defformula  msg_in_lh_def  inition 
"forall  X  ((x  gt  0)  — > 

(if  msg_id(x)  =  1  then  msg_in_lh(x)  =  56  else 
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(if  iiisg_id(x)  =  2  then 
(if  msg_id(x)  =  3  then 
(if  msg_id(x)  =  4  then 
(if  msg_id(x)  =  5  then 
(if  msg_id(x)  =  6  then 
(if  msg_id(x)  =  7  then 
(if  msg_id(x)  =  8  then 
(if  nisg_id(x)  =  9  then 
(if  insg_id(x)  =  10  then 
(if  msg_id(x)  =11  then 
(if  insg_id(x)  =  12  then 
(if  iBsg_id(x)  =  13  then 
(if  msg_id(x)  =  14  then 
(if  msg_id(x)  =  15  then 
(if  msg_id(x)  =  16  then 
(if  msg_id(x)  =  17  then 
(if  msg_id(x)  =  18  then 
(if  msg_id(x)  =  19  then 
(if  msg_id(x)  =  20  then 
(if  msg_id(x)  =  21  then 
(if  msg_id(x)  =  22  then 
(if  msg_id(x)  =  23  then 
(if  msg_id(x)  =  24  then 
(if  msg_id(x)  =  25  then 
(if  Bsg_id(x)  =  26  then 
(if  msg_id(x)  =  27  then 
(if  iasg_id(x)  =  28  then 
(if  msg_id(x)  =  29  then 
(if  msg_id(x)  =  50  then 
(if  insg_id(x)  =  51  then 
(if  msg_id(x)  =  52  then 
(if  msg_id(x)  =  53  then 
(if  msg_id(x)  =  54  then 
(if  insg_id(x)  =  55  then 
(if  msg_id(x)  =  56  then 
(if  iasg_id(x)  =  57  then 
(if  iiisg_id(i)  =  58  then 
(if  iiisg_id(x)  =  59  then 
(if  msg_id(x)  =  60  then 
(if  iiisg_id(x)  =  61  then 
(if  msg_id(x)  =  62  then 
(if  msg_id(x)  =  63  then 
(if  msg_id(i)  =  64  then 
(if  msg_id(x)  =  65  then 
(if  iiisg_id(x)  =66  then 
(if  nisg_id(x)  =  67  then 
(if  nisg_id(x)  =  80  then 
(if  i!isg_id(x)  =  81  then 
(if  nisg_id(x)  =  82  then 
(if  iiisg_id(x)  =  83  then 
(if  i!isg_id(x)  =  84  then 
(if  msg_id(x)  =  85  then 
(if  iiisg_id(x)  =  86  then 
(if  msg_id(x)  =  87  then 
(if  nsg_id(x)  =  88  then 


nisg_in_lh(x)  =  56  else 
msg_in_lh(x)  =  56  else 
msg_in_lh(x)  =  56  else 
insg_in_lh(x)  =  56  else 
iEsg_in_lh(x)  =  56  else 
msg_in_lh(x)  =  56  else 
msg_in_lh(x)  =  40  else 
msg_in_lh(x)  =  40  else 
iiisg_in_lh(x)  =  12  else 
insg_in_lh(x)  =  12  else 
iiisg_in_lh(x)  =  16  else 
iusg_in_lh(x)  =  16  else 
msg_in_lh(x)  =  12  else 
Msg_in_lh(x)  =  12  else 
msg_in_lh(x)  =  12  else 
msg_in_lh(x)  =  12  else 
msg_in_lh(x)  =  12  else 
msg_in_lh(x)  =  32  else 
insg_in_lh(x)  =  12  else 
msg_in_lh(x)  =  12  else 
msg_in_lh(x)  =  8  else 
msg_in_lh(x)  =  16  else 
msg_in_lh(x)  =  8  else 
msg_in_lh(x)  =  16  else 
msg_in_lh(x)  =  16  else 
msg_in_lh(x)  =  16  else 
msg_in_lh(x)  =  8  else 
msg_in_lh(x)  =  24  else 
fflsg_in_lh(x)  =  40  else 
insg_in_lh(x)  =  16  else 
iiisg_in_lh(x)  =  24  else 
msg_in_lh(x)  =  152  else 
msg_in_lh(x)  =  152  else 
insg_in_lh(x)  =  208  else 
msg_in_lh(x)  =  208  else 
msg_in_lh(x)  =  52  else 
msg_in_lh(x)  =  24  else 
msg_in_lh(x)  =  16  else 
msg_in_lh(x)  =  24  else 
msg_in_lh(x)  =  16  else 
msg_in_lh(x)  =  20  else 
msg_in_lh(x)  =  44  else 
msg_in_lh(x)  =  28  else 
msg_in_lh(x)  =  32  else 
msg_in_lh(x)  =  32  else 
msg_in_lh(x)  =  60  else 
msg_in_lh(x)  =  16  else 
msg_in_lh(x)  =  8  else 

msg_in_lh(x)  =  8  else 

msg_in_lh(i)  =  8  else 

iusg_in_lh(i)  =  8  else 

msg_in_lh(x)  =  8  else 

msg_in_lh(x)  =  16  else 
iusg_in_lh(x)  =  16  else 
iiisg_in_lh(x)  =  16  else 
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(if  Msg_id(x)  =  89  then  msg_in_lh(x)  =  16  else 

(if  iisg_id(x)  =  90  then  Bsg_in_lh(x)  =  8  else 

(if  msg_id(x)  =  91  then  iisg_in_lh(x)  =  44  else 

(if  Bsg_id(x)  =  92  then  Bsg_in_lh(x)  =  28  else 

(if  iBsg_id(x)  =  93  then  msg_in_lh(x)  =  8  else  msg_in_lh(x)  =  0 

))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))") 

; ;  Formula  msg_out_lh_def inition  defines  the  function  msg_out_lh. 

;;  This  function  gives  the  number  of  words  of  output  for  a  message. 

(defformula  BSg_out_lh_ definition 
"forall  X  ((x  gt  0)  — > 


(if 

msg_id(x) 

1  • 

then  msg_out_lh(x)  =  20 

else 

(if 

msg_id(x) 

= 

2  • 

then  msg_out_lh(x)  =  20 

else 

(if 

msg_id(x) 

= 

3  then  msg_out_lh(x)  =  20 

else 

(if 

msg_id(x) 

= 

4  then  msg_out_lh(x)  =  20 

else 

(if 

msg_id(x) 

5  then  msg_out_lh(x)  20 

else 

(if 

Bsg_id(x) 

= 

6  then  msg_out_lh(x)  =  20 

else 

(if 

msg_id(x) 

7  then  msg_out_lh(x)  =  20 

else 

(if 

Bsg_id(x) 

= 

8  then  msg_out_lh(x)  =  14 

else 

(if 

msg_id(x) 

9  then  msg_out_lh(x)  =  14 

else 

(if 

msg_id(x) 

10 

then 

msg_out_lh(x)  =  4 

else 

(if 

msg_id(x) 

= 

11 

then 

msg_out_lh(x)  =  4 

else 

(if 

msg_id(x) 

= 

12 

then 

msg_out_lh(x)  =  6 

else 

(if 

msg_id(x) 

S 

13 

then 

»sg_out_lh(x)  =  6 

else 

(if 

msg_id(x) 

B 

14 

then 

msg_out_lh(x)  =  4 

else 

(if 

msg_id(x) 

ai 

15 

then 

msg_out_Ih(x)  =  4 

else 

(if 

■sg_id(x) 

B 

16 

then 

msg_out_lh(x)  =  4 

else 

(if 

■sg_id(x) 

= 

17 

then 

msg_out_lh(x)  =  4 

else 

(if 

msg_id(x) 

= 

18 

then 

msg_out_lh(i)  =  4 

else 

(if 

Bsg_id(x) 

= 

19 

then 

msg_out_lh(x)  =  11 

1  else 

(if 

msg_id(x) 

= 

20 

then 

msg_out_lh(x)  =  4 

else 

(if 

■sg_id(x) 

21 

then 

msg_out_lh(x)  =  4 

else 

(if 

msg_id(x) 

22 

then 

msg_out_lh(i)  =  3 

else 

(if 

msg_id(x) 

= 

23 

then 

msg_out_lh(i)  =  6 

else 

(if 

msg_id(x) 

= 

24 

then 

msg_out_lh(x)  =  3 

else 

(if 

msg_id(x) 

= 

25 

then 

msg_out_lh(x)  =  5 

else 

(if 

BSg_id(x) 

26 

then 

msg_out_lh(x)  =  5 

else 

(if 

msg_id(x) 

= 

27 

then 

msg_out_lh(x)  =  6 

else 

(if 

msg_id(x) 

= 

28 

then 

■sg_out_lh(x)  =  3 

else 

(if 

Bsg_id(x) 

= 

29 

then 

msg_out_lh(x)  =  8 

else 

(if 

msg_id(x) 

= 

50 

then 

msg_out_lh(x)  =  15  else 

(if 

msg_id(x) 

51 

then 

msg_out_lh(x)  =  6 

else 

(if 

msg_id(x) 

= 

52 

then 

msg_out_lh(x)  =  8 

else 

(if 

msg_id(x) 

= 

53 

then 

msg_out_lh{i)  =  57  else 

(if 

Bsg_id(x) 

B 

54 

then 

msg_out_lh(x)  =  57  else 

(if 

msg_id(x) 

55 

then 

msg_out_lh(x)  =  78  else 

(if 

Bsg_id(x) 

= 

56 

then 

Bsg_out_lh(x)  =  78  else 

(if 

msg_id(x) 

= 

57 

then 

Bsg_out_lh(x)  =  19  else 

(if 

Bsg_id(x) 

58 

then 

Bsg_out_lh(x)  =  8 

else 

(if 

■sg_id(x) 

B 

59 

then 

Bsg_out_lh(x)  =  6 

else 

(if 

msg_id(x) 

B 

60 

then 

msg_out_lh(x)  =  9 

else 

(if 

«sg_id(x) 

= 

61 

then 

msg_out_lh(x)  =  6 

else 

(if 

msg_id(x) 

B 

62 

then 

msg_out_lh(x)  =  7 

else 
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(if 

msg_id(x) 

= 

63 

then 

msg_out_lh(x) 

16 

else 

(if 

msg_id(x) 

= 

64 

then 

msg_out_lh(x) 

= 

10 

else 

(if 

msg_id(x) 

= 

65 

then 

msg_out_lh(x) 

= 

11 

else 

(if 

msg_id(x) 

= 

66 

then 

msg_out_lh(x) 

= 

11 

else 

(if 

msg_id(x) 

= 

67 

then 

msg_out_lh(x) 

= 

22 

else 

(if 

msg_id(x) 

= 

80 

then 

msg_out_lh(x) 

= 

5 

else 

(if 

msg_id(x) 

81 

then 

msg_out_lh(x) 

= 

3 

else 

(if 

msg_id(r) 

= 

82 

then 

msg_out_lh(x) 

= 

3 

else 

(if 

msg_id(x) 

_ 

83 

then 

msg_out_lh(x) 

= 

3 

else 

(if 

msg_id(x) 

= 

84 

then 

msg_out_lh(x) 

= 

3 

else 

(if 

msg_id(x) 

= 

85 

then 

msg_out_lh(x) 

= 

3 

else 

(if 

msg_id(x) 

= 

86 

then 

msg_out_lh(x) 

5 

else 

(if 

msg_id(x) 

= 

87 

then 

msg_out_lh(x) 

= 

5 

else 

(if 

msg_id(x) 

= 

88 

then 

msg_out_lh(x) 

= 

6 

else 

(if 

msg_id(x) 

= 

89 

then 

msg_out_lh(x) 

5 

else 

(if 

msg_id(x) 

= 

90 

then 

msg_out_lh(r) 

= 

3 

else 

(if 

msg_id(x) 

= 

91 

then 

msg_out_lh(x) 

= 

16 

else 

(if 

msg_id(x) 

= 

92 

then 

msg_out_lh(x) 

= 

10 

else 

(if 

msg_id(x) 

= 

93 

then 

msg_out_lh(x) 

= 

3 

else  msg_out_lh(x)  =  0 

))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))") 

; ;  Formula  msg_input_begins_at_def inition  defines  the 

; ;  function  nsg_input_begins_at  nhich  gives  the  beginning  input  location 
; ;  for  messages . 

(def formula  msg_input_begins_at_def inition 
"forall  X  (msg_input_begins_at(l)  =  1  ft 
((x  gt  1)  — > 

(msg_input_begins_at(x)  = 
msg_input_begins_at(x-l)  +  msg_in_lh(x-l))))") 

; ;  Formula  msg_output_begins_at_def inition  defines  the 

; ;  function  msg_output_begins_at  which  gives  the  beginning  output  location 
;;  for  messages. 


( def f ormula  msg_ output _begins_at .definition 
"forall  X  (msg_output_begins_at (1)  =  1  fe 
((x  gt  1)  — > 

(msg_output_begins_at(x)  = 
msg_output_begins_at(x-l)  +  msg_out_lh(x-l) ) ) ) ") 

; ;  Formula  checksum_first_k_bytes_message_n_definition  defines  the  function 
; ;  checksum_first_k_bytes_message_n(n,k)  ,  which  gives  the  result  of  applying 
; ;  the  sdvs_xor_word  function  to  the  first  k  actual  input  bytes  of  message  n. 

(def formula  checksum_first_k_bytes_message_n_def inition 
"forall  n 
(forall  k  ( 

(k  =  0  — > 

checksum.f irst_k_bytes_message_n(n,k)  =  0)  & 

(k  gt  0  — > 

(checksum.f irst_k_bytes_message_n(n,k) 

=  sdvs_xor_word(checksum_f irst_k_bytes_message_n(n,k-l) , 

mk.word( .stdin[msg_input_begins_at (n)  +  ((8  ♦  k  -  5)  /  3)], 
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.stdin[*sg_input_begins_at(n)  +  ((8  *  k  -  1)  /  3)]))))))") 


;  Fornula  checksuM_def inition  defines  the  fvmction  checksim(x)  ,  which  gives 
;  the  result  of  applying  the  sdvs_xor_word  function  to  all  of  the  actual 
;  input  bytes  of  message  x. 


(defformula  checksum_def inition 
"(forall  X  (x  ge  0  — > 

(checksum(x)  =  checksum.f irst_k_bytes_message_n(x ,  Bsg_out_lh(x)  -1)) 
k  is.wordCchecksmCx))))") 

;;  Formula  input .condition  is  the  principed  formula  used  to  specify  the  input. 

(defformula  input.condition 
"forall  X 
(forall  2 
(x  ge  1  — > 

;  The  first  byte  is  always  1. 

((z  =  1  — >  .stdin[msg_input_begins_at(r)  +  (z-1)]  =  1)  & 

;  The  second  byte  is  always  2. 

(z  =  2  — >  .stdin[msg_input .begins. at (x)  +  (z-l)]  =  2)  & 

;  The  third  byte  is  the  message  identifier. 

(z  =  3  — >  .stdin[msg_input .begins. at (x)  +  (z-l)]  =  msg.id(x))  k 

;  As  for  the  remaining  bytes. . . 

((4  le  z  &  z  le  msg.in.lh(x))  — > 

;  If  it’s  the  first  byte  of  a  command,  it’s  an  eight: 

((z  mod  4=1  — >  . stdinCmsg.input .begins. at (x)  +  (z-l)]  =  8)  & 

;  otherwise,  we  only  know  it’s  a  byte. 

(z  mod  4  "=  1  — >  is.byte(.stdin[msg.input.begins.at(x)  +  (z-l)]))))  k 

;  First  checksum  byte  is  the  high  bits  of  the  checksum  word  for  message  i 
((z  =  ((8  *  msg_out.lh(x)  -  2)  /  3))  — > 

.stdin[msg_input_begins_at(x)  +  (z-l)]  = 
high. bits (checksum (x)))  k 

;  Second  checksum  byte  is  the  low  bits  of  the  checksum  word  for  message  x 
((z  =  ((8  ♦  msg.out.lh(x)  +2)  /  3))  — > 

. stdin[msg.input.begins.at(x)  +  (z-l)]  = 
low . bits (checksum (x) )))))") 


9.1.4  Formulas  used  in  the  postcondition 


; ; ;  Formulas  used  in  the  postcondition  of  the  main  state  delta 
;  ; ;  (inf inite.sequence.data.structure.messages.sd) 
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; ;  Formula  output _condit ion  states  that  all  sords  output  for  the  rth  message  are 
;;  correct,  i.e.,  are  words  formed  from  the  specified  inputs  in  the  high  and  low  bytes. 

(defformula  output_condition 

"x  ge  1  — >  (for all  z  ((  llez&zle  msg_out_lh(x)) 

— >  #stdout [msg_output_begins_at(x)  +(z-l)] 

=  mk.word(.stdin[msg_input_begins_at(x)  +  ((8  *  z  -  5)  /  3)], 

.stdin[msg_input_begins_at(i)  +  ((8  *  z  -  1)  /  3)])))") 


9.1.5  The  correctness  assertion 


;  ; ;  The  correctness  assertion 

; ;  State  delta  infinite_sequence_data_structure_messages.sd  is  the  correctness 
; ;  assertion  and  states  that  if  the  input  is  correct,  the  program  eventually 
; ;  produces  the  correct  output . 


(defsd  inf inite_sequence_data_structure_messages.sd 
"[sdpre:  (formulaCf inale. sd)  , 

forTiiula(input_places_disjoint.sd) , 
f  ormula (output _places_disj  oint . sd) , 
ada(msx_program_final_version.a) , 

f ormula (checksum.f irst_k_bytes .message _n_ definition) , 
f ormula(checksum_def inition) , 
f ormula (msg_in_lh_definition) , 
f ormula (msg_ out _lh_def inition) , 
f ormula (msg.input _begins_at .definition) , 
f ormula (msg.output. begins. at. definition) , 
f ormula(allowed.message.ids) , 
f  ormula ( input .c  ondit ion) ) 
comod:  (all) 
mod:  (all) 

post:  (formula(output .condition))  ]") 


9.1.6  Proofs  used  in  the  main  proof 


Proofs  used  in  the  main  proof.  Each  of  these  proofs  is  embedded 
in  setflag  and  comment  commands  that  allow  the  traceflag  to  be  turned  off 
in  the  main  proof  so  that  an  abbrieviated  trace  can  be  obtained.  Each 
proof  is  also  surrounded  by  printdate.if. wanted  commands  that  allow  timing 
information  to  be  obtained  if  the  timing  variable  is  set  to  true  in  the 
main  proof . 
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; ; ;  The  following  three  proofs  are  used  before  the  loop  induction  in  the  main 
; : ;  proof . 

;  ;  Proof  f ix:_constant_arxays  fires  problems  with  the  initialization  of 
; :  the  large  constant  arrays  WORDS_FOR_DATA_STRUC_TYPE  and  CMDS_FOR_DATA_STRUC_TYPE . 

(defproof  f ir_constant_arrays 
"(setflag  traceflag  on, 

comment  \  "Beginning  interpretation  of  f ir_constant_arrays . . .  \  ", 
setflag  traceflag  off, 

interpret  printdate_if _wanted, 

;  Go  to  declaration  of  WORDS_FOR_DATA_STROC_TYPE 
go 

#words_for_data_struc_type ’first  =  1, 
apply  3, 

;  Fix  declaration  of  WORDS_FOR_DATA_STRUC_TYPE 
eval  (load  \  "/u/versys/msx/array_constant  \  ") , 
apply, 

eval  (load  \  "/u/versys/msx/correct_array_constant  \  "), 

;  Go  to  declaration  of  CMDS_FOR_DATA_STRTJC_TYPE 

go 

#CMds_for_data_struc_type ’first  =  1, 
apply  3, 

;  Fix  declaration  of  CMDS.FDR_DATA_STRUC_TYPE 
eval  (load  \  "/u/versys/Bsx/array_constant  \  ") , 
apply, 

eval  (load  \  "/u/versys/msx/corrcct_array_constant  \  "), 
interpret  printdate_if_wanted, 
setflag  traceflag  on, 

comment  \  "Finished  with  interpretation  of  fix_constant_arrays. . .  \  ", 
setflag  traceflag  off)") 

; ;  Proof  go_to_beginning_of _loop  symbolically  executes  until  the  beginning  of  the 
; ;  main  infinite  loop  in  the  program. 

(defproof  go_to_beginning_of _loop 
"(setflag  traceflag  on, 

comment  \  "Beginning  interpretation  of  go_to_beginning_of_loop. . .  \  ", 
setflag  traceflag  off , 

interpret  printdate_if _wanted, 

go  #msx_program_f inal.version  \\  pc  =  at (loop_begin) , 
interpret  printdate_if_wanted. 
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setflag  traceflag  on, 

comment  \  "Finished  with  interpretation  of  go_to_beginning_of_loop. . .  \  ", 
setflag  traceflag  off)") 

; ;  Proof  do_lets  renames  various  things  so  that  they  can  be  easily  referred  to 
;;  later  (e.g.,  in  quantifier  commands). 

(defproof  do_lets 

"(setflag  traceflag  on, 

comment  \  "Beginning  interpretation  of  do_lets...  \  ", 
setflag  traceflag  off , 

interpret  printdate_if _wanted, 

letsd  loopsd  =  u(l) , 

let  old_universe  =  .msx_program_final_version, 
letq  input_condition  =  q(l) , 
letq  allowed_message_ids  =  q(2) , 
letq  msg_output_begins_at_def inition  =  q(3) , 
letq  msg_input_begins_at .definition  =  q(4) , 
letq  msg.out.lh.def inition  =  q(5) , 
letq  msg.in.lh.def inition  =  q(6) , 
letq  checksum.def inition  =  q(7) , 

letq  checksum.first.k.bytes.message.n.definition  =  q(8) , 
interpret  printdate.if .wanted, 
setflag  traceflag  on, 

comment  \  "Finished  with  interpretation  of  do.lets...  \  ", 
setflag  traceflag  off)") 

; ;  The  remaining  proofs  are  used  in  the  loop  induction  in  the  main  proof . 

;  ;  These  are  split  into  those  used  in  the  base  case,  eind  those  used  in  the  step 
;  ;  case . 


; ;  Proof  base. case. proof  proves  the  base  case  of  the  loop  induction  in  the  main  proof 

(defproof  base. case. proof 
"(setflag  traceflag  on, 

comment  \  "Beginning  interpretation  of  base.case .proof .. .  \  ", 
setflag  traceflag  off, 

interpret  printdate.if .wanted, 

;  All  goals  are  vacuously  true  except  those  concerning  the  equality  of  the 
;  the  standard  input  counter  and  msg.input.begins.at (1) ,  and  of  the 
;  stcuidard  output  cotinter  and  msg.output.begins.at(l) 

provebyinstantiation 

using :  msg_input.begins.at.def inition 
substitutions:  (x=l) , 
pr o veby inst  ant iat ion 

using :  msg.output.begins.at.def inition 
subst itut ions :  (x= 1 ) , 
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interpret  printdate_if _¥anted, 
setflag  traceflag  on, 

coHMient  \  "Finished  with  interpretation  of  base_case. proof .. .  \  ", 
setflag  traceflag  off, 
close) ") 


;  ;  Proof  instantiate_J:th_ input  instantiates  the  input  condition  with  the  ¥alue  k. 

(defproof  instantiate_kth_input 
"(setflag  traceflag  on, 

coMaent  \  "Beginning  interpretation  of  instantiate_kth_input . . .  \  ", 
setflag  traceflag  off, 

interpret  printdate_if _Banted, 

pro vebyinst ant iat ion 

using:  input_condition_instantiated_on_n 
substitutions:  (z=k) , 

interpret  printdate_if_¥anted, 

setflag  traceflag  on, 

comment  \  "Finished  with  interpretation  of  instantiate_kth_input . . .  \  ", 
setflag  traceflag  off)") 

; ;  Proof  produce_input_information  instantiates  the  input  condition  the  appropriate 
;  ;  n^^mber  of  times  so  that  the  prover  knows  about  the  inputs  for  the  nth  message. 

(defproof  produce_input_inf ormation 
"(setflag  traceflag  on, 

comment  \  "Beginning  interpretation  of  produce_input_inforBation. . .  \  ", 
setflag  traceflag  off, 

interpret  printdate_if .wanted, 

proweby inst  ant iat ion 

using:  input.condition 
substitutions:  (x=n)  , 

letq  input_condition_instantiated_on_n  =  q(l) , 

repeat  instantiate.kth.input  iterating  on  k  from  1  to  msg_in_lh(n) , 
interpret  printdate.if .wanted, 
setflag  traceflag  on, 

comment  \  "Finished  with  interpretation  of  produce.input.inf ormation. . .  \  ", 
setflag  traceflag  off)") 

;  ;  Proof  go_to.retum_from.czill.to_ret_cmd.buf .and.status  symbolically  executes 
; ;  until  the  exit  from  the  procedure  RET.CHD.BUF.AND.STATUS . 

(defproof  go.to.retum.from.call.to.ret.cmd.buf.and.status 
"(setflag  traceflag  on. 
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comment  \  "Beginning  interpretation  of 

go_to_return_from_call_to_ret_cmd_buf_and_status. . .  \  ", 
setflag  traceflag  off, 

interpret  printdate_if .wanted, 

go 

#msx_program_f inal.version  \\  pc  = 

exit  ed (msx_program_f inal.version . serial_dig_cmds . ret_cmd_buf _and_status) , 
interpret  printdate.if .wanted, 
setflag  traceflag  on, 

comment  \  "Finished  with  interpretation  of 

go.to.retum_from_call_to_ret.cmd.buf_and_status.  . .  \  ", 
setflag  traceflag  off)") 

; ; ;  The  following  proofs  are  needed  as  SDVS  does  not  handle  array  assignments  in  the 
; ; ;  best  possible  way.  This  will  eventually  be  fixed. 


; ;  Proof  consider_cmd.status.buf .element  considers  one  element  of  the  data  structure 
; ;  CMD.STATUS.BXJF  in  SERIAL.DIG.CMDS . 

(def proof  consider. cmd.status.buf .element 
"(setflag  traceflag  on, 

comment  \  "Beginning  interpretation  of  consider. cmd.statiis.buf .element. . .  \  ", 
setflag  traceflag  off , 

interpret  printdate.if .wanted, 

consider  , cmd.status.buf [k] , 

interpret  printdate.if .wanted, 

setflag  traceflag  on, 

comment  \  "Finished  with  interpretation  of  consider.cmd.status.buf .element ...  \  " , 
setflag  traceflag  off)") 

; ;  Proof  notice.cmd.buf s.records.equal.implies.f ields.equal  forces  the  prover  to  notice 
; ;  that  if  the  kth  elements  of  the  CMD.BUF  data  structures  in  SERIAL.DIG.CMDS  and 
;;  APP.MSGS  are  equal,  their  fields  are  equal. 

(def proof  notice.cmd.buf s.records.equal.implies.f ields.equal 
"(setflag  traceflag  on, 

comment  \  "Beginning  interpretation  of 

notice.cmd.bufs.records.equal.implies.f ields.equal. . .  \  ", 
setflag  traceflag  off , 

interpret  printdate.if .wanted, 

notice 

. app.msgs . cmd.buf [k]  =  . cmd.buf [k]  — > 

.record(app_msgs. cmd.buf [k] ,first_byte)  =  .record(cmd_buf  [k] ,first_byte) , 
notice 
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.  app_«sgs .  cKd_buf  [k]  =  •  ciid_buf  [k]  — > 

.record(app_*sgs.cmd_buf  [k]  , second_byte)  =  .record(ciid_buf  [k]  ,second_byte)  , 
notice 

.  app_msgs .  c*d_buf  [k]  =  .cmd_bnf[k]  — > 

.record(app_msgs.c*d_buf  [k]  ,third_byte)  =  . record (cind_buf  [k]  ,third_byte)  , 
notice 

.  app_*sgs .  cmd_buf  [k]  =  .  cmd_buf  [k]  — > 

.record(app_iiisgs.  cnd_buf  [k]  ,fonrth_byte)  =  . record (cmd_buf  [k]  ,f ourth_byte)  , 

interpret  printdate_if_wanted, 

setflag  traceflag  on, 

coBnent  \  "Finished  with  interpretation  ol 

notice_CBd_bufs_records_equal_iiiiplies_f ields_equal.  .  .  \  ", 
setflag  traceflag  off)") 

;;  Proof  consider_app_Bsgs.cBd_status_buf_element  considers  one  elenent  of  the 
; ;  data  structure  CMD_STATUS_BUF  in  APP_MSGS. 

(defproof  consider_app_Bsgs . cmd_status_buf .element 
"(setflag  traceflag  on, 

comment  \  "Beginning  interpretation  of 

consider.app.msgs. cmd.status.buf .element. . .  \  ", 
setflag  traceflag  off, 

interpret  printdate.if.wanted, 

consider  . app.msgs . cmd.status.buf [k] , 

interpret  printdate.if.wanted, 

setflag  traceflag  on, 

comment  \  "Finished  with  interpretation  of 

consider.app.msgs. cmd.status.buf. element. . .  \  ", 
setflag  traceflag  off)") 

; ;  Proof  f  ix.array.values.after_Ccill_to_ret_cmd.buf  .and.status  uses  the 
; ;  three  proofs  above  to  "remind"  the  prover  of  certain  information  about 
;  ;  the  arrays  passed  out  of  RET.CMD.BUF.AND.STATUS . 

(defproof  fix. array. values.af ter. call_to.ret_cmd.buf. and.status 
"(setflag  traceflag  on, 

comment  \  "Beginning  interpretation  of 

fix_array_values_after_call_to_ret_cmd_buf .and.status .. .  \  ", 
setflag  traceflag  off, 

interpret  printdate.if.wanted, 

apply  u(l) , 

repeat  consider. cmd.status.buf .element 

iterating  on  k  from  1  to  Bsg_in_lh(n)/4  +  1, 

repeat  notice.cmd.buf s.records.equal.implies.f ields.equal 
iterating  on  k  from  1  to  msg_in_lh(n)/4  +  1, 
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repeat  consider_app_msgs .  ciiid_status_buf _element 
iterating  on  k  from  1  to  nisg_in_lh(n)/4  +  1, 

interpret  printdate_if_wanted, 

setflag  traceflag  on, 

comment  \  "Finished  with  interpretation  of 

f ix_array_values_after_call_to_ret_cmd_buf_and_status. . .  \  ", 
setflag  traceflag  off)") 

The  following  section  contains  the  adalemmas  for  the  intrinsic  functions 
used  in  the  program  and  proofs  which  use  them.  Note  that  the  postconditions 
of  the  adalemmas  are  as  weak  as  possible,  i.e.,  geared  for  input  values  which 
actually  occur  in  the  program.  These  lemmas  are  not  proved  as  they  replace  calls 
to  1750A  code. 


Adalemma  or_word. adalemma  is  the  adalemma  for  the  0R_W0RD  intrinsic  function. 

(defadalemma  or _word. adalemma 

" /u/versys/msx/ msx_program_f inal_vers ion. a" 
or_word  msx_program_f inal_version . intrinsic _f unctions . or_word 

( "all. high (.or.word.x)  &  all.low(.or_word.y)")  (or_word) 

("(#or_word  =  .or.word.x  +  .or_word.y  &  is.word(#or_word))")) 


;;  Proof  handle_f irst_or_word_call  simply  invokes  or_word. adalemma  and  is  used 
;;  only  on  the  first  call  to  0R_W0RD. 

(def proof  handle_f irst_or_word_call 
"(setflag  traceflag  on, 

comment  \  "Beginning  interpretation  of  handle_first_or_word_call . . .  \  ", 
setflag  traceflag  off , 

interpret  printdate_if _wanted, 

invokeadalemma  or_word. adalemma, 

interpret  printdate_if_wanted, 

setflag  traceflag  on, 

comment  \  "Finished  with  interpretation  of  handle_first_or_word_call. . .  \  ", 
setflag  traceflag  off)") 

;;  Lemma  all .low. times . 256. is. all. high  states  that  if  x  is  all. low,  then  256*x 
;;  is  all. high. 

(def lemma  all . low .times . 256 . is . all . high 
"X  ge  0  &  X  le  255 

— >  (256  *  X  ge  0  &  256  *  X  le  65535)  & 

(256  *  x)  mod  256  =  0" 

(x)  nil  nil  (ok)  ; 
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: proof  "(proTeleima  all  .low. tiaes. 256 .  is. all. high 
proof ; 

(read  \  "axioms/mod. axioms  \  ", 
prowebyaLxioM  0  mod  256  =  (0  +  x  ♦  256)  mod  256 
using;  modmult)) ") 

;;  Proof  handle_remaining_or_word_calls  handles  all  calls  to  DR_W0RD  except  the  first. 
;;  It  uses  the  lemma  all . low. times. 256 . is. all .high  to  ensure  the  precondition  of 
;;  or_word . adalemma  is  met  before  it  is  invoked. 

(def proof  handle_remaining_or_word_calls 
"(setflag  traceflag  on, 

comment  \  "Beginning  interpretation  of  handle_remaining_or_word_calls. . .  \  ", 
setflag  traceflag  off, 

interpret  printdate_if_wanted, 

provebylemma 

(256  *  . stdin[( ( (8* ( .word_cntr  -3))+3)/3) 

+  msg_input_begins_at (n)  ]  ge  0  & 

256  *  . stdin[( ((8* ( . word_cntr  -3))+3)/3) 

+  msg_input_begins_at(n)  ]  le  65535)  k 
(256  ♦  .stdin[(((8*(.word_cntr  -3))+3)/3) 

+  msg_input_begins_at(n)  ])  mod  256  =  0 
us ing :  al 1 . low . t imes . 256 . is . all . high , 

invokeadalemma  or_word. adalemma, 

interpret  printdate_if_wanted, 

setflag  traceflag  on, 

C-Otnfflpnt'. 

\  "Finished  with  interpretation  of  handle_remaining_or_word_calls. . .  \  ", 
setflag  traceflag  off)") 

; ;  Proof  handle_or_word_call  uses  the  proof  handle_f irst_or_word_call  on  the 
; ;  first  call  to  0R_tfDRD,  handle_remaining_or_word_ calls  on  subsequent  calls. 

;;  This  is  done  because  the  lemma  all. low. times. 256. is. all. high  is  not  needed 
;;  on  the  first  call  since  the  first  argument  is  then  2,  and  the  prover  knows 
;;  all.high(256*2)  without  any  help. 

(defproof  handle_or_word_call 
"(setflag  traceflag  on, 

comment  \  "S3rmbolic  execution  is  at  the  entry 

to  the  intrinsic  function  0R_W0RD  \  " , 
comment  \  "This  fimction  will  be  handled  by  handle_or_word_call ,  \  ", 
comment  \  "which  invokes  an  adalemma  \  " , 

comment  \  "Beginning  interpretation  of  handle_or_word_call . . .  \  ", 
setflag  traceflag  off , 

interpret  printdate_if .wanted, 

if  not  .build_in_progress 

then  handle.f irst_or_word_call. 
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if  .build_in_progress 

then  handle_remaining_or_Hord_calls , 

interpret  printdate.if .wanted, 

setflag  traceflag  on, 

comment  \  "Finished  with  interpretation  of  handle_or_word_call. . .  \  ", 
setflag  traceflag  off)") 

;;  Adalemma  and.word. lemma  is  the  adalemma  for  the  AND.WORD  intrinsic  function. 

(def  adalemma  and. word . adalemma 

" /u/versys/msx/ msr.pr ogram.f inal .vers ion. a" 

and.word  msr.program.fineil .version .  intrinsic.f unct  ions .  and. word 
("true")  (and.word) 

("(. and.word. y  =  65280  — >  #and_word  =  (. and.word. x/256) *256)  & 

(. and.word. y  =  255  — >  #and.word  =  . and.word. i  mod  256)  !c 
(. and.word. X  =  65280  — >  #and.word  =  (.and. word. y/256)*256)  k 
(. and.word. X  =  255  — >  #and.word  =  . and.word. y  mod  256)  k 
is .word(#and.word) ") ) 

;;  Proof  handle. and.word. call  simply  invokes  the  adalemma  and.word. adalemma. 

(defproof  handle.and.word.call 
"(setflag  traceflag  on, 

comment  \  "Symbolic  execution  is  at  the  entry 

to  the  intrinsic  function  AND.WORD  \  ", 
comment  \  "This  fimction  will  be  handled  by  handle.and.word.call,  \  ", 
comment  \  "which  invokes  an  adalemma  \  " , 

comment  \  "Beginning  interpretation  of  handle.and.word.call...  \  ", 
setflag  traceflag  off, 

interpret  printdate. if .wanted, 

invokeadalemma  and.word. adalemma, 

interpret  printdate.if .wanted, 

setflag  traceflag  on, 

comment  \  "Finished  with  interpretation  of  handle.and.word.call...  \  ", 
setflag  traceflag  off)") 

;;  Adalemma  and.i  is  the  adalemma  for  the  AND.I  intrinsic  function. 

(def adalemma  and.i . adalemma 

"  /u/versys/msi/msx.program.f inal .vers ion. a" 

and.i  msx.program.f inal.version. intrinsic.f unctions. and.i 
("true")  (and.i) 

("(. and.i. y  =  7  — >  #and.i  =  .aind.i.x  mod  8)  k  is .word(#and.i) ")) 
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;;  Proof  handle_and_i_call  simply  invokes  the  adalemma  and_i . adalemma. 

(defproof  handle_and_i_call 
"(setflag  traceflag  on, 

comment  \  "Symbolic  execution  is  at  the  entry 

to  the  intrinsic  function  AND_I  \  " , 
comment  \  "This  function  will  be  handled  by  handle_and_i_call ,  \  ", 
comment  \  "which  invokes  an  adalemma  \  " , 

comment  \  "Beginning  interpretation  of  handle_and_i_call . . .  \  ", 
setflag  traceflag  off, 

interpret  printdate_if_wanted, 

invokeadalemma  and_i. adalemma, 

interpret  printdate_if_wanted, 

setflag  traceflag  on, 

comment  \  "Finished  with  interpretation  of  handle_and_i_call . . .  \  ", 
setflag  traceflag  off)") 

; ;  Adalemma  and_byte  is  the  adalemma  for  the  AND_BYTE  intrinsic  function. 

(def adalemma  and_byte. adalemma 

" /u/ versys/msx/ msx_program_f inal_version. a" 

and.byte  msx_program_final_version. intrinsic .functions . and.byte 
("true")  (and.byte) 

("(.and.byte.y  =  127  — >  #and_byte  =  .and.byte.x  mod  128)  &  is . word(#and_byte) ")) 


;;  Proof  handle_and_byte_call  simply  invokes  the  adalemma  and.byte . adalemma. 

(defproof  handle_and_byte_call 
"(setflag  traceflag  on, 

comment  \  "Symbolic  execution  is  at  the  entry 

to  the  intrinsic  function  AHD.BYTE  \  " , 
comment  \  "This  function  will  be  handled  by  handle_and_byte_call,  \  ", 
comment  \  "which  invokes  an  adalemma  \  " , 

comment  \  "Beginning  interpretation  of  handle_and_byte_call. . .  \  ", 
setflag  traceflag  off , 

interpret  printdate.if .wanted, 

invokeadaleima  and.byte. adalemma, 

interpret  printdate.if .wanted, 

setflag  traceflag  on, 

comment  \  "Finished  with  interpretation  of  handle.and_byte.call...  \  ", 
setflag  traceflag  off)") 

;;  Adalemma  shift.logical.word. adalemma  is  the  adalemma  for  the  SHIFT.LDGICAL.WORD 
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; ;  intrinsic  function. 


(def adalemma  shif t_logical_word. adalemma 

"/u/versys/msx/msx_prograin_f  inal_version.a" 

sliift_logical_¥ord  msx_program_f inal_Tersion. intrinsic.funct ions. shift _logical_Bord 
("true")  (shift_logical_¥ord) 

("(.shift_logical_word.y  =  -8  — > 

(#shift_logical_¥ord  = 

.shift_logical_¥ord.x  /  256  k  is.byte(#shift_logical_¥ord)) )  k 
(is  .byte( .shift_logical_¥ord.x)  k  . shift_logical_¥ord.y  =  8  — > 
(#shift_logical_¥ord  = 

.shift_logical_¥ord.x  *  256  k  is.¥ord(#shift_logical_¥ord)) ) ") ) 


; ;  Proof  handle_shif t_logical_¥ord_call  simply  invokes  the  adalemma 
;;  shift_logical_¥ord. adalemma. 


(def proof  handle_shift_logical_¥ord_call 
"(setflag  traceflag  on, 

comment  \  "Symbolic  execution  is  at  the  entry 

to  the  intrinsic  function  SHIFT_LOGICAL_WORD  \  " , 
comment  \  "This  function  ¥ill  be  handled  by  handle_shif t_logical_¥ord_call ,  \  ", 
comment  \  "¥hich  invokes  an  adalemma  \  ", 

comment  \  "Beginning  interpretation  of  handle_shift_logical_¥ord_call. . .  \  ", 
setflag  traceflag  off , 

interpret  printdate_if _¥anted, 

invokeadalemma  shif t_logical_¥ord. adalemma, 

interpret  printdate_if _¥anted, 

setflag  traceflag  on, 
comment 

\  "Finished  vith  interpretation  of  handle_shift_logical_¥ord_call . . .  \  ", 
setflag  traceflag  off)") 

;  ;  Adalemma  xor_¥ord. adalemma  is  the  adalemma  for  the  X0R_¥DRD  intrinsic  function. 

(def adalemma  xor_¥ord. adalemma 

" /u/ versys/msx/ msx_pr ogr am_f inal_ver s ion .a" 

xor_¥ord  msx_program_f inal_version. intrinsic_functions .xor_¥ord 
("true")  (xor_¥ord) 

(" (#xor_¥ord  =  sdvs_xor_¥ord(.xor_¥ord.x, .xor_¥ord.y)  k  is.¥ord(#xor_¥ord))")) 

(defproof  handle_xor_¥ord_call 
"(setflag  traceflag  on, 

comment  \  "Symbolic  execution  is  at  the  entry 

to  the  intrinsic  function  X0R_W0RD  \  " , 
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coiuient  \  "This  fmiction  will  be  handled  by  handle_xor_word_call ,  \  ", 
cement  \  "which  invokes  an  adalema  \  " , 

cement  \  "Beginning  interpretation  of  handle_ror_word_call.  .  .  \  ", 
setflag  traceflag  off, 

interpret  printdate_if_wanted, 

invokeadalema  xor_word.  adalema, 

interpret  printdate.if .wanted, 

setflag  traceflag  on, 

cement  \  "Finished  with  interpretation  of  handle_xor_word_call ...  \  " , 
setflag  traceflag  off)") 


; ; ;  The  following  proofs  handle  problems  with  array  assignments  after  the  call  to 
;;;  MANAGE_MSG_RETRIEVAL . 

;;  Proof  consider_app_msg_out_element  considers  the  kth  element  of  . app_msg_out . 

(def proof  consider. app_msg_out .element 
"(setflag  traceflag  on, 

cement  \  "Beginning  interpretation  of  consider. app.msg.out. element ..  .  \  ", 
setflag  traceflag  off , 

interpret  printdate. if .wanted, 

consider  . app.msg.out [k] , 

interpret  printdate.if .wanted, 

setflag  traceflag  on, 

cement  \  "Finished  with  interpretation  of  consider. app.msg.out. element ..  .  \  ", 
setflag  traceflag  off)") 

; ;  Proof  f ix.array.values.after.call.to.manage.msg.retrieval  "reminds"  the  prover 
; ;  of  information  about  the  array  . app_msg.out . 

(def proof  fix.array. values. aft er.call.to.manage.msg.retrieval 
"(setflag  traceflag  on, 

cement  \  "Symbolic  execution  is  at  the  exit  from  the 
MANAGE.MSG.RETRIEVAL  procedure  \  " , 
cement  \  "Beginning  interpretation  of 

fix.array .values. after .call.to.manage.msg.retrieval .. .  \  ", 
setflag  traceflag  off, 

interpret  printdate.if .wanted, 

apply  u(l) , 

repeat  consider. app.msg.out. element 

iterating  on  k  from  1  to  (1  +  msg_out.lh(n) ) , 

interpret  printdate. if. wanted. 
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setflag  traceflag  on, 

comment  \  "Finished  with  interpretation  of 

f  ix_a2:ray_values_after_call_to_manage_msg_retrieval . .  .  \  ", 
setflag  traceflag  off)") 


;;  Lemma  checksum. lemma  is  used  in  proof  prove_checksum_correct . 

(def lemma  checksum. lemma 

"X  ge  0  &  y  gt  0  — >  (x  /  y)  ♦  y  +  X  mod  y  =  x" 

(x  y)  nil  nil  nil 

rproof  "(provelemma  checksum. lemma 
proof : 

(read  \"axioms/rem. axioms\" , 
read  \ " axioms/mod. axioms\" , 
meases 

(case;  x  gt  0 
proof : 

(provebyaxiom  x  mod  y  =  x  rem  y 
using:  modreml, 

provebyaxiom  x=(x/y)*y+x  rem  y 
using:  remdef) 

case:  x  =  0 

proof : 

(read  \"axioms/div. axioms\" , 
provebyaxiom  x  /  y  =  0 
using:  diveqO, 

provebyaxiom  x  mod  y  =  x  rem  y 
using:  modreml, 

provebyaxiom  x=(x/y)*y+x  rem  y 
using:  remdef))))") 

; ;  Proof  instantiate_checksum_message_n  instantiates  k  for  n  in  the  quantified 
; ;  formula  checksum_message_n  . 

(def proof  instantiate_checksum_message_n 
"(setflag  traceflag  on, 

comment  \  "Beginning  interpretation  of  instantiate_checksum_message_n  ...  \ 
setflag  traceflag  off , 

interpret  printdate_if_wanted, 

provebyinstant iat ion 

using;  checksum_message_n 
substitutions:  (k=z) , 

interpret  printdate_if _wanted, 

setflag  traceflag  on, 

comment  \  "Finished  with  interpretation  of  instantiate_checksum_message_n  \ 
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setflag  traceflag  off)") 

;  Proof  pro¥e_checksiui_correct  proves  that  the  result  of  the  checksius 
;  calculation  has  the  same  value  as  the  output  word  formed  from  the 
;  input  checksum  bytes. 


(defproof  prove_checksum_ correct 
"(  setflag  traceflag  on, 

comment  \"Beginning  interpretation  of  prove_checksuB_correct . . , 

setflag  traceflag  off, 

interpret  printdate_if_uanted, 

pro vebyinst ant iat ion 

using:  checksum_def inition 
substitutions;  (x=n) , 

provebylemma  ( checksum (n)  /  256)  *  256  +  checksum(n)  mod  256 

=  checksum (n) 
using:  checksum. lemma, 

provebyinstantiation 

using :  checksum_first_k_bytes_message_n_ definition 
substitutions:  (n=n) , 

letq  checksum_message_n  =  q(l), 

repeat  instantiate_checksum_message_n 

iterating  on  z  from  0  to  msg_out_lh(n)  -  1, 

apply , 

interpret  printdate_if _wanted, 

setflag  traceflag  on, 

comment  \"Finished  with  interpretation  of  prove_checksum_correct . . . \" , 

setflag  traceflag  off)") 

;  ;  Proof  loop_body  symbolically  executes  until  it  reaches  the  call  of  an 
;  ;  intrinsic  function,  the  exit  from  MANAGE_MSG_RETRIEVAL,  the  proof  label 
;;  after_checksum  calculation,  or  the  top  of  the  loop.  It  uses  the 
; ;  appropriate  proof  (prefixed  with  handle_  )  on  the  call  of  an  intrinsic  function, 
; ;  fixes  array  values  after_MSG_RETRIEVAL  with  the  proof 
; ;  f ix_array_values_after_call_to_manage_msg_retrieval,  and  uses 
; ;  prove_checksuB_correct  after  the  checksum  calculation  to  prove  the  checksum 
;;  values  are  correct. 


(defproof  loop_body 

"(setflag  traceflag  on, 

comment  \  "Beginning  interpretation  of  loop_body...  \  ", 
setflag  traceflag  off, 

interpret  printdate_if_wanted. 
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go 


;Call  to  an  intrinsic  function 

(#msr_program_f inal_version  \\  pc  = 

at (msx.program.f inal.version. intr ins ic_f unctions. or _¥ord) )  or 
(#msx_prograiii_f inal_version  \\  pc  = 

at (]nsx_program_f inal_version. intrinsic_functions.ior_word) )  or 
(#msx_program_f inal_version  \\  pc  = 

at (nisx_program_f inal_version. intrinsic_functions. and_i) )  or 
(#iiisx_program_final_version  \\  pc  = 

at (msx_program_final_version. intrinsic_f unctions . and_Bord) )  or 
(#msx_program_f inal_version  \\  pc  = 

at  (insx_program_fincd_version.  intrinsic _functions .  and.byte) )  or 
(#iiisx_prograiii_final_version  \\  pc  = 

at (iiisx_prograiii_final_version. itttrinsic_f unctions . shift _logical_¥ord) )  or 

; After  MANAGE_MSG_RETRIEVAL 

(#msx_prograni_f inal_version  \\  pc  = 

exit ed(msx_program_final_Ters ion.  app_insgs  .manage_msg_retrieval))  or 

; After  checksum  calculation 

(#msx_program_final_version  \\  pc  = 
at (after. checksum_calculation))  or 

; Beginning  of  loop 

f ormula(loopsd) , 

;  Handle  intrinsic  calls  with  adalemmas 

if  .msx.program.f inal.version  \\  pc  = 

at (msx.program.f inal.version.intrinsic.fimctions.or.word)  then 
handle.or.word.call , 
if  . msx.program.f ineil.version  \\  pc  = 

at (msx.program.f inal.version . intrinsic.! unct ions . xor.word)  then 
handle.xor.word.call , 
if  .msx.program.f inal.version  \\  pc  = 

at  (msx.program.f  incil.version.  intrinsic.functions.  and.word)  then 
handle. and.word.call , 
if  .msx.program.f incil.version  \\  pc  = 

at (msx.program.f inal.version. intrinsic.functions . and.i)  then 
handle.and.i.call , 

if  .msx.program.f incil.version  \\  pc  = 

at (msx.program.f inal.version. intrinsic.functions . and.byte)  then 
handle.and.byte.call , 
if  .msx.program.f inal.version  \\  pc  = 

at (msx.program.f inal.version . intrinsic.! imct ions . shift .logical.word)  then 
handle.shif t.logical.word.call , 

;Fix  array  values 

if  .msx.program.f inal.version  \\  pc  = 
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exit ed(iisx_pr ograai_f inal_vers ion.  app.msgs  .maiiage_msg_retrieval)  then 
f ix_array_values_after_call_to_Manage_msg_retrieval , 

;ProTe  checksua  bytes  have  correct  value 

if  .MSx_prograji_f inal_version  \\  pc  = 
at (af ter_checksum_calculation)  then 
prove_checksuB_correct , 

interpret  printdate_if _Hanted, 

setflag  traceflag  on, 

coment  \  "Finished  vith  interpretation  of  loop_body...  \  ", 
setflag  traceflag  off)") 

; ;  Proof  handle_intrinsics_until_end_of_program  interprets  loop_body  until  the  top 
;;  of  the  loop. 

(def proof  handle_intrinsics_until_end_of _prograiE 
"(setflag  traceflag  on, 

coMMent  \  "Beginning  interpretation  of 

handle_intrinsics_until_end_of_prograiii. . .  \  ", 
setflag  traceflag  off, 

interpret  printdate_if .wanted, 

loop  until  f omulaCloopsd)  with  loop.body, 

interpret  printdate.if .wanted, 

setflag  traceflag  on, 

coBment  \  "Finished  with  interpretation  of 

handle. intrinsics.until.end.of . program. . .  \  ", 
setflag  traceflag  off)") 

;  ;  Lemma  queue.bounds . lemma  is  needed  to  prove  that  after  the  variable  CJ.HEAD  and 
;;  Q.TAIL  are  updated,  they  are  still  legitimate  array  bounds  (i.e.,  between  one  and 
; ;  thirty  inclusive) .  State  deltas  that  correspond  to  statements  which  use  these 
; ;  variables  as  array  indices  have  preconditions  requiring  that  these  variables 
;;  are  in  bounds,  so  statements  that  the  original  values  of  these  variables  are  in 
; ;  bounds  are  part  of  the  loop  invariant  in  the  main  proof . 

(def lemma  queue.bounds . lemma 
"z  ge  1  &  z  le  30 

— >  z  mod  30  +  1  ge  1  &  z  mod  30  +  1  le  30" 

(z)  nil  nil  nil 

: proof  " (pr ovelemma  queue.bounds . lemma 
proof : 

(read  \  "axioms /mod. axioms  \  ", 
read  \  "aixioms/rem. axioms  \  ", 
read  \  "aixioms/div. aixioms  \  ", 
cases  z  It  30 
then  proof : 

(provebyaxiom  z  /  30  =  0 
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using :  diveqO , 

provebyaxiom  z  =  (z  /  30)  *  30  +  z  rem  30 
using:  remdef, 

provebyaxiom  z  mod  30  =  z  rem  30 
using:  modreml) 
else  proof:  ))") 

; ;  Proof  f inish_off _non_output_goads  proves  that  all  of  the  goals  which  the  prover 
; ;  does  not  know  to  be  true  after  symbolically  executing  through  the  loop  with  the 
; ;  exception  of  the  goal  involving  the  output  condition. 

(def proof  f inish_off _non_output_goals 
"(setflag  traceflag  on, 

comment  \  "Beginning  interpretation  of  f inish_off _non_output_goals . . .  \  ", 
setflag  traceflag  off , 

interpret  printdate_ if .wanted, 

;  Proves  that  the  statements  concerning  the  queue  variables 
;  in  the  invariant  are  re-established 

provebylemma  old_q_head  mod  30  +  1  ge  1  fe 
old_q_head  mod  30  +  1  le  30 
using:  queue .bounds . 1 emma , 

;  Input/output  counters  have  been  incremented  appropriately 

pr o veby inst  ant iat ion 

using :  msg.output.begins.at .definition 
substitutions:  (x=n  +  1), 
pro veby inst  ant iat ion 

using:  msg.input .begins. at .definition 
substitutions:  (x=n  +  1), 

interpret  printdate. if .wanted, 

setflag  traceflag  on, 

comment  \  "Finished  with  interpretation  of  finish.off.non.output. goals. . .  \  ", 
setflag  traceflag  off)") 


The  following  section  contains  proof  commands  used  to  prove  the  output  condition 
in  the  n  =  x  case.  At  the  end  of  this  case,  the  prover  knows  (i.e.,  can  simplify 

to  true)  the  output  condition  at  1,  2,  .  msg.out.lhCi) ,  but  doesn’t  know  the 

actual  output  condition.  So  we  are  the  position  of  having  to  convince  the  prover 
of  forall  z  (1  le  z  &  z  le  msg.out.lhCx)  — >  P(z))  when  it  already  knows  P(l), 
P(2),  ...,  P (msg.out.lhCx)  -  1),  P(msg.out.lh(x)) . 


; ;  Proof  notice.output.condition.at.k.quantif ied.over.z  notices  forall  z  P(k) 
;  ;  when  P(k)  is  true  and  puts  it  on  the  list  of  quantifiers  (N.B. :  z  does  not 
;;  occur  free  in  P(k)  ) 

(def proof  not ice.output.condition.at.k.quantif ied.over.z 
"(setflag  traceflag  on. 
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coMMent  \  "Beginning  interpretation  of 

notice_output_condition_at_k_quantif ied_over_z. . .  \  ", 
setflag  traceflag  off, 

interpret  printdate_if _Banted, 

notice 

forall  z  ( .stdout [msg_output_begins_at (i)  +  (k  -  1)] 

=  ■k.word(.stdin[msg_input_begins_at(r)  +  (8  *  k  -  5)  /  3] , 

.stdin[msg_input_begins_at(x)  +  (8  *  k  -  1)  /  3] ) ) , 

interpret  printdate_if_wanted, 

setflag  traceflag  on, 

comment  \  "Finished  with  interpretation  of 

notice_output_condition_at_k_quantif ied_over_z. . .  \  ", 
setflag  traceflag  off)") 

; ;  Proof  another_version_of_output_condition_at_k_quantif ied_over_z  proves 
;;  forall  z  (z=k  — >  P(k))  from  forall  z  P(k) 

(def proof  another_version_of .output _condition_at_k_quant if ied_over_z 
"(setflag  traceflag  on, 

comment  \  "Beginning  interpretation  of 

another _version_of_output_condition_at_k_quantified_over_z. . .  \  ", 
setflag  traceflag  off, 

interpret  printdate.if .wanted, 

provebygeneralization 
forall  z  (z  =  k  — > 

.stdout[msg_output .begins. at (x)  +  (z  -  1)] 

=  mk.word(.stdin[msg.input.begins.at(i)  +  (8  *  z  -  5)  /  3]  , 

. stdin [msg.input .begins. at (x)  +  (8  ♦  z  -  1)  /  3] ) ) 

using:  (forall  z  ( . stdout [msg.output.begins.at (x)  +  (k  -  1)] 

=  mk.Bord(.stdin[msg.input.begins.at(x)  +  (8  *  k  -  5)  /  3]  , 

.stdin[msg.input.begins.at(x)  +  (8  *  k  -  1)  /  3] ) ) )  , 

interpret  printdate.if .wanted, 

setflag  traceflag  on,  ; 

comment  \  "Finished  with  interpretation  of  ] 

another.version.of.output.condition.at.k.quantif ied.over.z . . .  \  ", 
setflag  traceflag  off)") 

! 

: ;  Proof  prove.output.condition.for.z.equal.to.l  proves 

;;  forall  z  (1  le  z  fe  z  It  2  — >  P(z))  from  forall  z  (z  =  1  — >  P(z)) 

(def proof  prove.output.condition.f or.z.equal.to.l 
"(setflag  traceflag  on, 

comment  \  "Beginning  interpretation  of 

prove.output.condition.for.z.equal.to.l . . .  \  ", 

setflag  traceflag  off,  I 
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interpret  printdate.if .wanted, 

provebymakeboundedquantif ier 

forall  z(l  lez&z  It  2  — > 

. stdout [msg_output_begins_at (r)  +  (z  -  1)] 

=  iiik.fford(.stdin[msg_input_begins_at(x)  +  (8  *  z  -  5)  /  3]  , 
.stdin[msg_input_begins_at(x)  +  (8  *  z  -  1)  /  3])) 

using:  (forall  z  (z  =  1  — > 

•stdout [msg_ output _begins_at(x)  +  (z  -  1)] 

=  mk.word(.stdin[msg_input_begins_at(x)  +  (8  *  z  -  5)  /  3] , 

.stdin[msg_input_begins_at(x)  +  (8  *  z  -  1)  /  3]))), 

interpret  printdate.if .wanted, 

setflag  traceflag  on, 

comment  \  "Finished  with  interpretation  of 

prove.output.condition.for.z.equal.to.l . . .  \  ", 
setflag  traceflag  off)") 

; ;  Proof  prove.output.condition.f or.z.ranging.from.l.to.k.plus.l  proves 
; ;  forall  z  (  1  le  z  &  z  It  k+1  — >  P(z))  from  forall  zCllez&zltk  — >  P(z)) 
;;  and  forall  z  (z=k  — >P(z)) 

(def proof  prove.output.condition.f or.z.ranging.from.l.to.k.plus.l 
"(setflag  traceflag  on, 
comment  \  "Begiiming  interpretation  of 

prove.output.condition.f or_z_ranging.from.l_to.k.plus_l .. .  \  ", 
setflag  traceflag  off, 

interpret  printdate.if. wanted, 

provebymakeboundedquantifier 
forall  z  (1  le  z  ft  z  It  k+1  — > 

. stdout [msg.output.begins.at(i)  +  (z  -  1)] 

=  mk.word( .stdin[msg.input_begins.at(x)  +  (8  *  z  -  5)  /  3]  , 

.stdin[msg.input.begins_at(x)  +  (8  *  z  -  1)  /  3])) 

using:  (forall  z  (llezftzltk  — > 

. stdout [msg.output.begins.at (x)  +  (z  -  1)] 

=  mk.word(.stdin[msg_input.begins_at(x)  +  (8  *  z  -  5)  /  3]  , 

.stdin[msg_input.begins.at(r)  +  (8  *  z  -  1)  /  3] ) )  , 

forall  z  (z  =  k  — > 

■Stdout [msg.output.begins.at (x)  +  (z  -  1)] 

=  mk.word(.stdin[msg.input_begins.at(x)  +  (8  *  z  -  5)  /  3]  , 

.stdin[msg.input.begins.at(x)  +  (8  *  z  -  1)  /  3] ) ) )  , 

interpret  printdate.if .wanted, 

setflag  traceflag  on, 

comment  \  "Finished  with  interpretation  of 

prove.output.condition.f or.z.ranging.from.l.to.k.plus.l .. .  \  ", 
setflag  traceflag  off)") 


; ;  Proof  pro¥e_actual_output_condition  is  the  last  step  in  the  proof 
: ;  f inish_of f_output_goal  and  proves  the  actual  output  condition. 


(def proof  prove_actual_output_condition 
"(setflag  traceflag  on, 

coHffient  \  "Beginning  interpretation  of  prove_actual_output_condition. . .  \  ", 
setflag  traceflag  off, 

interpret  printdate_if_nanted. 


proveb3rBakeboundedquantif  ier 
forall  z((llez&zle  iiisg_out_lh(i))  — > 

( . stdout [msg_output_begins_at (x)  +  (z  -  1)] 

=  ■k.iiord(.stdin[asg_input_begins_at(x)  +  (8  *  z  -  5)  /  3]  , 
.stdin[Bisg_input_begins_at(x)  +  (8  *  z  -  1)  /  3]))) 


using:  (forall  z  ((1  le  z  &  z  It  k)  — > 

( . stdout [msg_output_begins_at (x)  +  (z  -  1)] 

=  mk.word(.stdin[msg_input_begins_at(x)  + 
.stdin[msg_input_begins_at(x)  + 


(8  *  z  -  5)  /  3]  , 

(8  ♦  z  -  1)  /  3]))), 


forall  z  ((z  =  k)  — > 

( .stdout [msg_output_begins_at(x)  +  (z  -  1)] 

=  mk.Bord(.stdin[msg_input_begins_at(x)  +  (8  *  z 
.stdin[Bsg_input_begins_at(x)  +(8*2 


5)  /  3]  , 

1)  /  3])))), 


interpret  printdate_if_wanted. 


setflag  traceflag  on, 

coBBent  \  "Finished  with  interpretation  of  prove_actual_output_condition. . .  \  ", 
setflag  traceflag  off)") 

; ;  Proof  f inish_off _output_goal  uses  the  above  proof  commands  to  prove  the 
; ;  output  condition. 

(defproof  f inish_off _output_goal 
"(setflag  traceflag  on, 

coBment  \  "Beginning  interpretation  of  f inish_of f_output_goal . . .  \  ", 
setflag  traceflag  off, 

interpret  printdate_if .wanted. 


repeat  notice_output_condition_at_k_quantif ied_over_z 
iterating  on  k  from  1  to  Bsg_out_lh(x) , 

eval  (load  \  "/u/versys/Bsx/dotted_subexpressions  \  ") , 

repeat  another_version_of_output_condition_at_k_quantif ied_over_z 
iterating  on  k  from  1  to  msg_out_lh(x) , 

eval  (load  \  "/u/versys/Bsx/correct_dotted_subexpressions  \  ") , 

interpret  prove_output_condition_f or_z_equal_to_l , 

repeat  prove_output_condition_for_z_ranging_from_l_to_k_plus_l 
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iterating  on  k  from  2  to  msg_out_lh(x)  -  1, 

repeat  prove_actual_output_condition 

iterating  on  k  from  msg_out_lh(x)  to  msg_out_lh(x) , 

interpret  printdate_if .wanted, 

setflag  traceflag  on, 

comment  \  "Finished  with  interpretation  of  f inish_off_output_goal. . .  \  ", 
setflag  traceflag  off)") 


; ;  Proof  every.case. proof  is  the  generic  proof  for  every  case  in  the  step  case 
; ;  of  the  induction. 

(defproof  every  .cause  .proof 
"(setflag  traceflag  on, 

comment  \  "Beginning  interpretation  of  every.case. proof .. .  \  ", 
setflag  traceflag  off, 

interpret  printdate.if .wanted, 

;  Want  to  name  current  value  of  q.head  to  use  in  queue.bounds .lemma 
let  old.q.head  =  .q.head, 

;  These  instantiations  aire  needed  so  that  the  prover  knows  the  concrete 
;  values  of  the  input  and  output  length  of  the  current  message,  as 
;  these  are  used  in  repeat  loops . 

pr o veby inst  ant iat ion 

using:  msg_in.lh.def inition 
substitutions:  (x  =  n) , 
provebyinstant iat ion 

using:  msg.out.lh. definition 
substitutions:  (x  =  n) , 

meases 

(case:  n  It  x 
proof : 

(setflag  traceflag  on, 

comment  \  "Beginning  interpretation  of  n  It  x  case...  \  ", 
setflag  traceflag  off, 

interpret  printdate.if.wanted, 

;  Needed  to  speed  up  proof  (see  comments  at  definitions) 
interpret  separate.input .places, 
interpret  separate.output .places, 

;  Common  part  of  both  cases 

interpret  produce.input.inf ormation. 
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interpret  go_to_retum_from_call_to_ret_ciid_buf _and_status , 
interpret  f ix_array_values_af ter_call_to_ret_cnd_buf _and_status , 
interpret  handle_intrinsics_until_end_of _program , 
interpret  f inish_of f _non_output_goals , 

;  End  of  conuaon  part 

coment  \  "Attempting  to  close  on  goals  for  n  It  r  case ...  \  ", 

interpret  pr int dat e_ if _ff anted, 

close) 

case:  n  =  x 
proof : 

(setflag  traceflag  on, 

coament  \  "Beginning  interpretation  of  n  =  x  case...  \  ", 
setflag  traceflag  off, 

interpret  printdate_if .wanted, 

;  Comaion  part  of  both  cases 

int erpr et  produce. input. inf ormat ion , 

interpret  go.to.retum.f rom.call.to.ret.cmd.buf .and.status , 
interpret  f ix.array.values.aif ter_call.to_ret.cmd.buf .and.status , 
int erpret  handle. int r ins ics _unt il.end.of .program , 
interpret  f inish. of f .non. output .goals , 

;  End  of  common  part 

interpret  finish. off .output .goal, 

comment  \  "Attempting  to  close  on  goals  for  n  =  x  case...  \  ", 
interpret  printdate.if .wanted, 
close) ) , 

interpret  printdate.if .wanted, 
setflag  traceflag  on, 

comment  \  "Finished  with  interpretation  of  every.case .proof .. .  \  ", 
setflag  traceflag  off)") 


9.1.7  The  versions  of  step.case. proof  used  in  the  main  proof 


Proof  step.case. proof  just  instantiates  allowed.message.ids  with  n 
for  X,  and  then  runs  ewery.case. proof  on  all  possible  message  ids 
in  a  multiple  cases  command.  Due  to  concerns  about  system  crashes, 
we  ran  the  proof  with  different  versions  of  step.case .proof .  In 
each  version,  we  proved  one  or  more  cases  cuid  deferred  the  rest. 
All  of  the  versions  of  step.case. proof  used  are  given  (in  order) 
below.  The  cases  handled  in  each  version  are  given  in  the  second 
comment  line. 
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(defproof  step_case .proof 
"(setflag  traceflag  on, 

comment  \"Beginning  interpretation  of  step_case. proof , 
comment  \"This  version  of  step_case. proof  handles  message  ids:  1\", 
setflag  traceflag  off , 

interpret  printdate_if_Hanted, 


;  Get  the  possible  message  identifiers  for  n 

provebyinstantiation 

using:  allo¥ed_message_ids 
substitutions:  (x=n) , 

;  Run  the  cases  lor  the  message  identifiers  mentioned  in  the 
;  comment  above,  and  defer  all  other  cases 

meases 

(case:  msg_id(n)  =  1 
proof : 

(setflag  traceflag  on, 
comment  \"Currently  handling  message  id 
setflag  traceflag  off, 

interpret  every_case .proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  1 _ \", 

setflag  traceflag  off) 
case:  msg_id(n)  "=  1 
proof : 

(setflag  traceflag  on, 

comment  \"Def erring  proofs  for  all  message  ids  except  :  1  \", 
setflag  traceflag  off, 
defer) ) , 

interpret  printdate_if .wanted, 
close , 

setflag  traceflag  on, 

comment  \"Finished  with  interpretation  of  step.case .proof .. .\" , 
setflag  traceflag  off)") 

(defproof  step.case .proof 
"(setflag  traceflag  on, 

comment  \ "Beginning  interpretation  of  step.case .proof ... \" , 

comment  \"This  version  of  step.case. proof  handles  message  ids:  2  and  3\", 

setflag  traceflag  off , 

interpret  printdate.if .wanted. 


;  Get  all  the  possible  message  ids  for  n 
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proYeby inst  ant iat ion 

using:  allowed_Message_ids 
substitutions:  (x=n) , 

;  Run  the  cases  for  the  message  identifiers  mentioned  in  the 
;  comment  abo¥e,  and  defer  all  other  cases 

Mcases 

(case:  msg_id(n)  =  2 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  2...\", 
setflag  traceflag  off, 

interpret  every_case.proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id 

setflag  traceflag  off) 

case:  msg_id(n)  =  3 
proof : 

(setflag  traceflag  on, 

comment  \"Curxently  handling  message  id 
setflag  traceflag  off, 

interpret  every_case. proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  3....\", 
setflag  traceflag  off) 


case:  (msg_id(n)  "=  2  &  msg_id(n)  ■"=  3) 
proof : 

(setflag  traceflag  on, 

comment  \"Def erring  proofs  for  all  ids  except  :  2  and  3  . . . 
setflag  traceflag  off, 

defer) ) , 

interpret  printdate_if_wanted, 
close , 

setflag  traceflag  on, 

comment  \"Finished  with  interpretation  of  step_case.proof . . , 
setflag  traceflag  off)") 


(def pr 0  of  st  ep_case . proof 
"(setflag  traceflag  on, 

comment  \"Beginning  interpretation  of  step_case .proof ... \" , 

comment  \"This  version  of  step_case. proof  handles  message  ids:  4  and  5\" 
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setflag  traceflag  off, 
interpret  printdate_if_wanted, 


;  Get  all  the  possible  message  ids  for  n 

pr ovebyinst ant iat ion 

using:  allowed_message_ids 
substitutions:  (x:=n)  , 

;  Run  the  cases  for  the  message  identifiers  mentioned  in  the 
;  comment  above,  and  defer  all  other  cases 


meases 

(case:  msg_id(n)  =  4 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id 
setflag  traceflag  off, 

interpret  every_case. proof , 


setflag  traceflag  on, 

comment  \"Finished  with  message  id  4....\", 
setflag  traceflag  off) 


case:  msg_id(n) 
proof : 

(setflag 

comment 

setflag 


=  5 

traceflag  on, 

\"Currently  handling  message  id 
traceflag  off , 


interpret  every_case. proof. 


setflag  traceflag  on, 

comment  \"Finished  with  message  id 

setflag  traceflag  off) 


case:  (msg_id(n)  "=  4  &  msg_id(n)  "■=  5) 
proof : 

(setflag  traceflag  on, 

comment  \"Deferring  proofs  for  all  ids  except 
setflag  traceflag  off , 

defer)) , 

interpret  pr int dat e _ if _w anted, 
close , 

setflag  traceflag  on, 
comment  \"Finished  with  interpretation  of  step.case .proof , 
setflag  traceflag  off)") 


:  4  and  5  ...  \" 
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(defproof  step_case .proof 
"(setflag  traceflag  on, 

coMMent  \"Beginning  interpretation  of  step_case .proof , 

comient  \"This  version  of  step_case. proof  handles  message  ids:  6  and  7\' 

setflag  traceflag  off, 

interpret  printdate_if _oanted. 


;  Get  all  the  possible  message  ids  for  n 

pro vebyinst ant iat ion 

using:  alloBed_message_ids 
substitutions:  (x=n) , 

;  Run  the  cases  for  the  message  identifiers  mentioned  in  the 
;  comment  above,  and  defer  all  other  cases 


meases 

(case:  msg_id(n)  =  6 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  6...\", 
setflag  traceflag  off, 

interpret  every_case. proof , 


setflag  traceflag  on, 

comment  \"Finished  with  message  id  6....\", 
setflag  traceflag  off) 


case:  msg_id(n) 
proof : 

(setflag 

comment 

setflag 


=  7 

traceflag  on, 

\"Currently  handling  message  id  7...\", 
traceflag  off. 


interpret  every.case.proof , 
setflag  traceflag  on, 

comment  \"Finished  with  message  id  7.,..\", 
setflag  traceflag  off) 


case:  (msg_id(n)  "=  6  &  msg_id(n)  '=  7) 
proof : 

(setflag  traceflag  on, 

comment  \"Def erring  proofs  for  all  ids  except  :  6  and  7  . . . 
setflag  traceflag  off, 

defer)) , 

interpret  printdate_if _wanted. 
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close , 


setflag  traceflag  on, 

comment  \"Finished  with  interpretation  of  step_case .proof ... \ 
setflag  traceflag  off)") 

(def proof  step_case .proof 
"(setflag  traceflag  on, 

comment  \"Beginning  interpretation  of  step_case .proof ... \" , 
comment  \"This  version  of  step_case. proof  handles  message  ids 
8,  9,  10,  11,  and  12\", 
setflag  traceflag  off, 

interpret  printdate_if .wanted. 


;  Get  all  the  possible  message  ids  for  n 

pro vebyinst ant iat ion 

using :  allowed_message_ids 
substitutions:  (x=n) , 

;  Run  the  cases  for  the  message  identifiers  mentioned  in  the 
;  comment  above,  and  defer  all  other  cases 


meases 

(case:  msg_id(n)  =  8 
proof: 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  8...\", 
setflag  traceflag  off, 

int  erpret  e very.case . proof , 


setflag  traceflag  on, 

comment  \"Finished  with  message  id  8....\", 
setflag  traceflag  off) 


case:  msg_id(n)  =  9 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  9...\", 
setflag  traceflag  off , 


interpret  every .case .proof , 


setflag  traceflag  on, 

comment  \"Finished  with  message  id  9..,,\", 
setflag  traceflag  off) 


case:  msg.id(n)  =  10 
proof : 


(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  10... \", 
setflag  traceflag  off. 
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interpret  e¥ery_case. proof. 


setflag  traceflag  on, 

coiment  \"Finished  with  message  id  10.... \", 
setflag  traceflag  off) 


case:  Bsg_id(n) 
proof : 

(setflag 

comment 

setflag 


«  11 

traceflag  on, 

\"Currently  handling  message  id  11... \", 
traceflag  off , 


interpret  every.case. proof , 


setflag  traceflag  on, 

comment  \ "Finished  with  message  id  11.... \", 
setflag  traceflag  off) 


case;  msg_id(n) 
proof : 

(setflag 

comment 

setflag 


=  12 

traceflag  on, 

\"Currently  handling  message  id  12... \", 
traceflag  off. 


interpret  every_case. proof , 
setflag  traceflag  on, 

comment  \"Finished  with  message  id  12.... \", 
setflag  traceflag  off) 

case:  (msg_id(n)  ~=  8  &  msg_id(n)  "=  9  &  msg_id(n)  ■=  10 
&  Bsg_id(n)  ~=  11  k  msg_id(n)  "=  12) 

proof : 

(setflag  traceflag  on, 

comment  \"Deferring  proofs  for  all  ids  except  : 

8,  9,  10,  11,  and  12  ...  \" , 
setflag  traceflag  off, 

defer) ) , 


interpret  printdate_if _wanted, 
close. 


setflag  traceflag  on, 

comment  \"Finished  with  interpretation  of  step_case .proof .. .\ 
setflag  traceflag  off)") 

(defproof  step_case .proof 
"(setflag  traceflag  on, 

comment  \"Beginning  interpretation  of  step_case. proof .. .\" , 
comment  \"This  version  of  step_case. proof  handles  message  ids 
13,  14,  15,  16,  17,  18,  19,  and  20\", 
setflag  traceflag  off , 
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interpret  printdate_if _oanted. 


;  Get  all  the  possible  message  ids  for  n 

pr o veby inst  ant iat ion 

using;  alloffed_message_ids 
substitutions:  (x=n) , 

;  Run  the  cases  for  the  message  identifiers  mentioned  in  the 
;  comment  above,  and  defer  all  other  cases 


meases 

(case:  msg_id(n)  =  13 
proof : 

(setflag  traceflag  on, 

comment  \"CurTently  handling  message  id  13... \", 
setflag  traceflag  off, 

interpret  every_case. proof , 


setflag  traceflag  on, 

comment  \"Finished  with  message  id  13.... \", 
setflag  traceflag  off) 


case:  msg_id(n)  =  14 
proof : 

(setflag  traceflag  on, 

comment  \"Ctirrently  handling  message  id  14... \", 
setflag  traceflag  off. 


interpret  every_case. proof , 


setflag  traceflag  on, 

comment  \"Finished  with  message  id  14.... \", 
setflag  traceflag  off) 


case:  msg_id(n) 
proof : 

(setflag 

comment 

setflag 


=  15 

traceflag  on, 

\"Currently  handling  message  id  15... \", 
traceflag  off. 


int  erpret  every_case . proof , 


setflag  traceflag  on, 

comment  \"Finished  with  message  id  15 _ \", 

setflag  traceflag  off) 


case:  msg_id(n) 
proof : 

(setflag 

comment 

setflag 


=  16 

traceflag  on, 

\"Currently  handling  message  id  16... \", 
traceflag  off. 
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int  erpret  eTery_case . proof , 
setflag  traceflag  on, 

comment  \"Finished  with  message  id  16.... \", 
setflag  traceflag  off) 

case:  msg_id(n)  =  17 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  17... \ 
setflag  traceflag  off, 

interpret  eTery_case .proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  17.... \", 
setflag  traceflag  off) 

case:  msg_id(n)  =  18 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  18... \ 
setflag  traceflag  off , 

interpret  every.case.proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  18.... \", 
setflag  traceflag  off) 

case:  msg_id(n)  =  19 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  haindling  message  id  19... \ 
setflag  traceflag  off, 

interpret  every.case .proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  19.... \", 
setflag  traceflag  off) 

case:  msg_id(n)  =  20 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  hemdling  message  id  20... \ 
setflag  traceflag  off , 

interpret  e very _case .proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  20.... \", 
setflag  traceflag  off) 
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case:  (msg.idCn)  ■■=  13  &  asg_id(n)  ■■=  14  &  insg_id(n)  "■=  15 

&  nisg_id(n)  ~=  16  &  msg_id(ii)  ~=  17  &  msg_id(n)  "=  18 
&  msg_id(n)  “=  19  fe  msg_id(n)  ~=  20) 

proof : 

(setflag  traceflag  on, 

comment  \"Deferring  proofs  for  all  ids  except  : 

13,  14,  15,  16,  17,  18,  19,  and  20...  \", 
setflag  traceflag  off, 

defer)) , 

interpret  printdate_if_oanted, 
close , 

setflag  traceflag  on, 

comment  \"Finished  with,  interpretation  of  step_case. proof ..  .\"  , 
setflag  traceflag  off)") 


(defproof  step_case .proof 
"(setflag  traceflag  on, 

comment  \"Beginning  interpretation  of  step.case.proof . . .\" , 
comment  \"This  version  of  step_case. proof  handles  message  ids: 

21,  22,  23,  24,  25,  and  26\", 
setflag  traceflag  off, 

interpret  printdate.if .wanted, 


;  Get  the  possible  message  identifiers  for  n 

pr o vebyinst  ant iat ion 

using:  allowed_message_ids 
substitutions:  (x=n) , 

;  Run  the  cases  for  the  message  identifiers  mentioned  in  the 
;  comment  above ,  and  defer  all  other  cases 

meases 

(case:  msg_id(n)  =  21 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  hcuidling  message  id  21... \", 
setflag  traceflag  off , 

interpret  every.case .proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  21.... \", 
setflag  traceflag  off) 

case:  msg_id(n)  =  22 
proof : 

(setflag  traceflag  on. 
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comient  \"Currently  haoidling  message  id  22... \", 
setflag  traceflag  off, 

interpret  every_case .proof , 

setflag  traceflag  on, 

coiiment  \"Finished  with  message  id  22.... \", 
setflag  traceflag  off) 

case:  msg_id(n)  =  23 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  23... \", 
setflag  traceflag  off, 

interpret  every_case.proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  23. . .  .\", 
setflag  traceflag  off) 

case:  msg_id(n)  =  24 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  24. . .\", 
setflag  traceflag  off, 

interpret  every_case.proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  24.... \", 
setflag  traceflag  off) 

case:  msg_id(n)  =  25 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  25... \", 
setflag  traceflag  off , 

interpret  e very_case. proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  25.... \", 
setflag  traceflag  off) 

case:  msg_id(n)  =  26 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  26... \", 
setflag  traceflag  off , 

interpret  every_case,proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  26.... \", 
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setflag  traceflag  off) 

case:  (msg_id(n)  “=  21  k  msg_id(n)  “=  22  k  msg_id(n)  ■"=  23 

k  insg_id(n)  ~=  24  k  msg_id(n)  ~=  25  k  msg_id(n)  '=  26) 

proof : 

(setflag  traceflag  on, 

comment  \"Deferring  proofs  for  all  ids  except  : 

21,  22,  23,  24,  25  ,and  26...  \" , 
setflag  traceflag  off, 

defer))  , 

interpret  printdate_if .wanted, 
close , 

setflag  traceflag  on, 

comment  \"Finished  with  interpretation  of  step.case .proof .. .\" , 
setflag  traceflag  off)") 

(defproof  step.case. proof 
"(setflag  traceflag  on, 

comment  \"Beginning  interpretation  of  step.case .proof ... \" , 
comment  \"This  version  of  step.case. proof  haindles  message  ids: 

27,  28,  and  29\", 
setflag  traceflag  off, 

interpret  printdate.if .wanted. 


;  Get  all  the  possible  message  ids  for  n 

pr o vebyinst  ant iat ion 

using:  allowed.message.ids 
substitutions:  (x=n) , 

;  Run  the  cases  for  the  message  identifiers  mentioned  in  the 
;  comment  above,  and  defer  all  other  cases 


meases 

(case:  msg.id(n)  =  27 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  27... \", 
setflag  traceflag  off, 

interpret  every.case.proof , 


setflag  traceflag  on, 

comment  \"Finished  with  message  id  27.... \", 
setflag  traceflag  off) 


case:  msg_id(n)  =  28 
proof : 

(setflag  traceflag  on. 
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coiment  \"Currently  handling  message  id  28... \", 
setilag  traceflag  off, 

interpret  eTery_case.proof , 


setflag  traceflag  on, 

comment  \"Finished  with  message  id  28.... \", 
setflag  traceflag  off) 


case:  msg_id(n) 
proof : 

(setflag 

comment 

setflag 


=  29 

traceflag  on, 

\"Ctirrently  handling  message  id  29... \", 
traceflag  off , 


interpret  every_case .proof , 


setflag  traceflag  on, 

comment  \"Finished  with  message  id  29.... \", 
setflag  traceflag  off) 

case:  (msg_id(n)  ~=  27  &  msg_id(n)  "=  28  &  msg_id(n)  "'=  29) 
proof : 

(setflag  traceflag  on, 

comment  \"Deferring  proofs  for  all  ids  except  : 

27,  28,  and  29  ...  \", 
setflag  traceflag  off, 

defer) ) , 


interpret  printdate_if .wanted, 
close , 


setflag  traceflag  on, 

comment  \"Finished  with  interpretation  of  step.case .proof .. .\" , 
setflag  traceflag  off)") 

(defproof  step.case .proof 
"(setflag  traceflag  on, 

comment  \"Beginning  interpretation  of  step.case .proof ... \" , 
comment  \"This  version  of  step. case. proof  handles  message  ids:  50\", 
setflag  traceflag  off, 

interpret  printdate.if.wanted. 


;  Get  the  possible  message  identifiers  for  n 

pr o veby inst  ant iat ion 

using:  allowed.message.ids 
substitutions:  (x=n) , 

;  Run  the  cases  for  the  message  identifiers  mentioned  in  the 
;  comment  above,  and  defer  all  other  cases 
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incases 


(case:  msg_id(n)  =  50 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  50. . 
setflag  traceflag  off, 

interpret  every_case.proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  50.... \", 
setflag  traceflag  off) 
case:  msg_id(n)  “=  50 
proof : 

(setflag  traceflag  on, 

comment  \"Deferring  proofs  for  all  message  ids  except  :  50  \" 
setflag  traceflag  off , 
defer)) , 

interpret  printdate.if .wanted, 
close, 

setflag  traceflag  on, 

comment  \"Finished  with  interpretation  of  step.case .proof .. .\" , 
setflag  traceflag  off)") 

(def proof  step.case. proof 
"(setflag  traceflag  on, 

comment  \"Beginning  interpretation  of  step.Ccise. proof ..  .\"  , 

comment  \"This  version  of  step.case .proof  handles  message  ids:  51  and  52\ 

setflag  traceflag  off , 

interpret  printdate. if .wanted, 

;  Get  all  the  possible  message  ids  for  n 

pro vebyinstant iat ion 

using:  allowed.message.ids 
substitutions:  (x=n) , 

;  Run  the  cases  for  the  message  identifiers  mentioned  in  the 
;  comment  above,  and  defer  all  other  cases 

meases 

(case:  msg.id(n)  =  51 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  51... \", 
setflag  traceflag  off , 

interpret  every .case. proof. 


181 


setflag  traceflag  on, 

coBUient  \"Finished  with  message  id  51.... \", 
setflag  traceflag  off) 

case:  ■sg_id(n)  =  52 
proof : 

(setflag  traceflag  on, 

coiuient  \"Ciirrently  handling  message  id  52... \", 
setflag  traceflag  off, 

interpret  eTery_case. proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  52.... \", 
setflag  traceflag  off) 


case:  (msg.idCn)  51  &  msg_id(n)  "=  52) 
proof : 

(setflag  traceflag  on, 

comment  \"Deferring  proofs  for  all  ids  except  :  51  and  52...  \", 
setflag  traceflag  off, 

defer)) , 

interpret  printdate_if .wanted, 
close, 

setflag  traceflag  on, 

comment  \"Finished  with  interpretation  of  step.case.proof . . .\" , 
setflag  traceflag  off)") 

;;;  N.B:  We  were  unable  to  complete  cases  53,  54,  55,  and  56  due  to 
; ; ;  problems  with  ruiming  out  of  storage,  so  there  are  no  versions  of 
;;;  step.case.proof  which  handle  these  cases. 

(defproof  step.case.proof 
"(setflag  traceflag  on, 

comment  \ "Beginning  interpretation  of  step.case.proof .. .\" , 
comment  \"This  version  of  step.case.proof  handles  message  ids:  57\", 
setflag  traceflag  off, 

interpret  printdate. if .wanted. 


;  Get  the  possible  message  identifiers  for  n 

proveby instant iat ion 

using:  allowed.message.ids 
substitutions:  (x=n) , 

;  Run  the  cases  for  the  message  identifiers  mentioned  in  the 
;  comment  above,  and  defer  all  other  cases 
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meases 


(case:  msg_id(n)  =  57 
proof : 

(setflag  traceflag  on, 

comment  \"Ciirrently  handling  message  id  57... \", 
setflag  traceflag  off, 

interpret  every_case .proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  57.... \", 
setflag  traceflag  off) 
case:  msg_id(n)  "=  57 
proof : 

(setflag  traceflag  on, 

comment  \"Deferring  proofs  for  all  message  ids  except  :  57  \" 
setflag  traceflag  off, 
defer)) , 

interpret  printdate_if_wanted, 
close , 

setflag  traceflag  on, 

comment  \"Finished  oith  interpretation  of  step_case.proof . . .\", 
setflag  traceflag  off)") 

(def proof  step_case. proof 
"(setflag  traceflag  on, 

comment  \"Beginning  interpretation  of  step_case. proof .. .\" , 
comment  \"This  version  of  step_case. proof  handles  message  ids:  58\", 
setflag  traceflag  off, 

interpret  printdate.if _wanted. 


;  Get  the  possible  message  identifiers  for  n 

provebyinstantiation 

using:  allo¥ed_message_ids 
subst itut ions :  (x=n) , 

;  Run  the  cases  for  the  message  identifiers  mentioned  in  the 
;  comment  above,  and  defer  all  other  cases 

meases 

(case:  msg_id(n)  =  58 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  58... \", 
setflag  traceflag  off , 

interpret  every_case. proof. 
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setflag  traceflag  on, 

comment  \"Finished  with  message  id  58.... \", 
setflag  traceflag  off) 
case:  msg_id(n)  ~=  58 
proof : 

(setflag  traceflag  on, 

comment  \"Deferring  proofs  for  all  message  ids  except  :  58  \", 
setflag  traceflag  off, 
defer)) , 

interpret  printdate_if _wanted, 
close , 

setflag  traceflag  on, 

comment  \"Finished  with  interpretation  of  step_case. proof .. .\" , 
setflag  traceflag  off)") 

(defproof  step_case. proof 
"(setflag  traceflag  on, 

comment  \"Beginning  interpretation  of  step_case .proof ... \" , 
comment  \"This  version  of  step_case. proof  handles  message  ids:  59\", 
setflag  traceflag  off , 

interpret  printdate_if_wanted, 

;  Get  the  possible  message  identifiers  for  n 

proveby instant iat ion 

using:  allowed_message_ids 
substitutions:  (x=n) , 

;  Run  the  cases  for  the  message  identifiers  mentioned  in  the 
;  comment  above,  and  defer  all  other  cases 

meases 

(case:  msg_id(n)  =  59 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  59.  .  .\", 
setflag  traceflag  off, 

interpret  every_case.proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  59.,.. \", 
setflag  traceflag  off) 
case:  msg_id(n)  ~=  59 
proof : 

(setflag  traceflag  on, 

comment  \"Def erring  proofs  for  all  message  ids  except  :  59  \", 
setflag  traceflag  off, 
defer) ) , 
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interpret  printdate_if .wanted, 
close , 

setllag  traceflag  on, 

comment  \"Finished  with  interpretation  of  step.case. proof 
setflag  traceflag  off)") 

(def proof  step.case. proof 
"(setflag  traceflag  on, 

comment  \"Beginning  interpretation  of  step_c«tse  .proof , 
comment  \"This  version  of  step.case. proof  handles  message  ids:  60\", 
setflag  traceflag  off , 

interpret  printdate.if .wanted. 


;  Get  the  possible  message  identifiers  for  n 

provebyinstantiation 

using:  allowed.message.ids 
substitutions:  (r=n) , 

;  Run  the  cases  for  the  message  identifiers  mentioned  in  the 
;  comment  above,  and  defer  all  other  cases 

meases 

(case:  msg.id(n)  =  60 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  60... \", 
setflag  traceflag  off , 

int erpr et  every .case .proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  60.... \", 
setflag  traceflag  off) 
case:  msg.id(n)  "=  60 
proof : 

(setflag  traceflag  on, 

comment  \"Def erring  proofs  for  all  message  ids  except  :  60  \", 
setflag  traceflag  off , 
defer))  , 

interpret  printdate. if .wanted, 
close , 

setflag  traceflag  on, 

comment  \"Finished  with  interpretation  of  step.case.proof . . .\" , 
setflag  traceflag  off)") 

(def proof  step.case.proof 
"(setflag  traceflag  on. 
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coMient  \"Beginning  interpretation  of  step_case  .proof , 

coMMent  \"This  version  of  Etep_case. proof  handles  message  ids:  61  and  62\" , 

setflag  traceflag  off, 

interpret  printdate_if _ffanted. 


;  Get  all  the  possible  message  ids  for  n 

proveby instant iat ion 

using:  allowed_message_ids 
substitutions:  (r=n) , 

;  Run  the  cases  for  the  message  identifiers  mentioned  in  the 
;  comment  above,  and  defer  all  other  cases 


meases 

(case:  msg_id(n)  =  61 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  61... \", 
setflag  traceflag  off, 

interpret  every_case .proof , 


setflag  traceflag  on, 

comment  \"Finished  with  message  id  61.... \", 
setflag  traceflag  off) 


case:  msg_id(n)  *=  62 
proof : 


(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  62... \", 
setflag  traceflag  off. 


interpret  every.case. proof, 


setflag  traceflag  on, 

comment  \"Finished  with  message  id  62.... \", 
setflag  traceflag  off) 


case:  (msg_id(n)  “=  61  &  msg_id(n)  ~=  62) 
proof : 

(setflag  traceflag  on, 

comment  \"Def erring  proofs  for  all  ids  except  :  61  and  62...  \", 
setflag  traceflag  off, 

defer) ) , 

interpret  printdate_if_wanted, 
close , 

setflag  traceflag  on. 
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comment  \"Finished  with  interpretation  of  step_case .proof , 
setflag  traceflag  off)") 

(defproof  step_case .proof 
"(setflag  traceflag  on, 

comment  \"Beginning  interpretation  of  step_case. proof .. .\" , 
comment  \"This  version  of  step_case. proof  handles  message  ids:  63\", 
setflag  traceflag  off, 

interpret  printdate_if _wanted. 


;  Get  the  possible  message  identifiers  for  n 

pr o vebyinst  ant iat ion 

using:  allowed_message_ids 
substitutions:  (x=n) , 

;  Run  the  cases  for  the  message  identifiers  mentioned  in  the 
;  comment  above,  and  defer  all  other  cases 

meases 

(case:  msg_id(n)  =  63 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  63... \", 
setflag  traceflag  off, 

int  erpret  every_case . proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  63.... \", 
setflag  traceflag  off) 
case:  msg_id(n)  ~=  63 
proof : 

(setflag  traceflag  on, 

comment  \"Deferring  proofs  for  all  message  ids  except  :  63  \" 
setflag  traceflag  off, 
defer)) , 

interpret  printdate_if_wanted, 
close , 

setflag  traceflag  on, 

comment  \"Finished  with  interpretation  of  step_case. proof .. .\" , 
setflag  traceflag  off)") 

(defproof  step_case .proof 
"(setflag  traceflag  on, 

comment  \"Beginning  interpretation  of  step_case .proof ... \" , 
comment  \"This  version  of  step_case. proof  handles  message  ids: 

64,  65,  and  66\" , 
setflag  traceflag  off , 
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interpret  printdate_if _wan.ted, 

;  Get  all  the  possible  message  ids  for  n 

pr o veby inst  ant iat ion 

using:  allo¥ed_message_ids 
substitutions;  (r=n) , 

;  Run  the  cases  for  the  message  identifiers  mentioned  in  the 
;  comment  above,  and  defer  all  other  cases 

Mcases 

(case:  msg_id(n)  =  64 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  64... \", 
setflag  traceflag  off, 

interpret  every_case. proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  64.... \", 
setflag  traceflag  off) 

case:  msg_id(n)  *  65 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  65... \", 
setflag  traceflag  off, 

interpret  e very_case. proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  65.... \", 
setflag  traceflag  off) 

case:  msg_id(n)  =  66 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  66... \", 
setflag  traceflag  off , 

interpret  every_case.proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  66.. 
setflag  traceflag  off) 

case:  (msg_id(n)  "=  64  &  msg_id(n)  "=  65  &  msg_id(n)  “=  66) 
proof : 

(setflag  traceflag  on, 

comment  \ "Deferring  proofs  for  all  ids  except  : 

64,  65,  and  66  ...  \", 
setflag  traceflag  off. 
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defer) ) , 


interpret  printdate_if .wanted, 
close , 

setflag  traceflag  on, 

comment  \"Finished  with  interpretation  of  step.case .proof , 
setflag  traceflag  off)") 

(def proof  step.case .proof 
"(setflag  traceflag  on, 

comment  \"Beginning  interpretation  of  step.case .proof ... \" , 
comment  \"This  version  of  step.case. proof  handles  message  ids:  67\", 
setflag  traceflag  off , 

interpret  printdate.if .wanted. 


;  Get  the  possible  message  identifiers  for  n 

pro veby instantiation 

using:  allowed.message.ids 
substitutions:  (x=n) , 

;  Run  the  cases  for  the  message  identifiers  mentioned  in  the 
;  comment  above ,  and  defer  all  other  cases 

meases 

(case:  msg_id(n)  =  67 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  67... \", 
setflag  traceflag  off , 

interpret  every.case .proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  67.... \", 
setflag  traceflag  off) 
case:  msg.id(n)  "=  67 
proof : 

(setflag  traceflag  on, 

comment  \"Def erring  proofs  for  all  message  ids  except  :  67  \", 
setflag  traceflag  off, 
defer) ) , 

interpret  printdate. if .wanted, 
close, 

setflag  traceflag  on, 

comment  \"Finished  with  interpretation  of  step.case .proof .. .\" , 
setflag  traceflag  off)") 
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(def proof  step.case .proof 
"(setflag  traceflag  on, 

comment  \"Beginning  interpretation  of  step_case .proof , 
comment  \"This  version  of  step_case. proof  handles  message  ids 
80,  81,  82,  and  83\", 
setflag  traceflag  off , 

interpret  printdate_if _iianted. 


;  Get  all  the  possible  message  ids  for  n 

pr o veby inst  ant iat ion 

using:  allowed_message_ids 
substitutions:  (x=n) , 

;  Run  the  cases  for  the  message  identifiers  mentioned  in  the 
;  comment  above,  and  defer  all  other  cases 

meases 

(case:  msg_id(n)  =  80 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  80... \", 
setflag  traceflag  off, 

interpret  e very_case. proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  80.... \'', 
setflag  traceflag  off) 

case:  msg_id(n)  =  81 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  81... \", 
setflag  traceflag  off, 

interpret  every_case .proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  81.... \", 
setflag  traceflag  off) 

case:  msg_id(n)  =  82 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  82... \", 
setflag  traceflag  off , 

interpret  eTery_case.proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  82.... \", 
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setflag  traceflag  off) 


case:  Bisg_id(n)  =  83 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  83... \", 
setflag  traceflag  off, 

interpret  every_case.proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  83.... \", 
setflag  traceflag  off) 

case:  (msg_id(n)  "=  80  &  msg_id(n)  "=  81  &  msg_id(n)  “=  82 
&  msg_id(n)  "'=  83) 

proof : 

(setflag  traceflag  on, 

comment  \"Deferring  proofs  for  all  ids  except  : 

80,  81,  82,  and  83  ...  \", 
setflag  traceflag  off, 

defer)) , 

interpret  printdate.if .wanted, 
close , 

setflag  traceflag  on, 

comment  \"Finished  with  interpretation  of  step.case. proof .. .\", 
setflag  traceflag  off)") 

(defproof  step.case .proof 
"(setflag  traceflag  on, 

comment  \"Beginning  interpretation  of  step.case .proof ... \" , 
comment  \"This  version  of  step.case. proof  handles  message  ids: 

84,  85,  86,  and  87\", 
setflag  traceflag  off, 

interpret  printdate.if .wanted, 

;  Get  all  the  possible  message  ids  for  n 

provebyinstant iat ion 

using:  allowed.message.ids 
substitutions:  (x=n) , 

;  Run  the  cases  for  the  message  identifiers  mentioned  in  the 
;  comment  above,  and  defer  all  other  cases 

meases 

(case:  msg_id(n)  =  84 
proof : 

(setflag  traceflag  on. 


comment  \"Currently  handling  message  id  84... \", 
setflag  traceflag  off, 

interpret  eTrery_case .proof , 

setflag  traceflag  on, 

coiment  \"Finished  with  message  id  84.... \", 
setflag  traceflag  off) 

case:  msg_id(n)  =  85 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  85... \", 
setflag  traceflag  off, 

interpret  every_case .proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  85.... \", 
setflag  traceflag  off) 

case:  msg_id(n)  =  86 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  86... \", 
setflag  traceflag  off, 

interpret  every_case. proof, 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  86.... \", 
setflag  traceflag  off) 

case:  msg_id(n)  =  87 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  87... \", 
setflag  traceflag  off, 

interpret  every_case . proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  87.... \", 
setflag  traceflag  off) 

case:  (msg_id(n)  "=  84  k  msg_id(n)  "=  85  k  msg_id(n)  "=  86 
k  msg_id(n)  "=  87) 

proof : 

(setflag  traceflag  on, 

comment  \"Deferring  proofs  for  all  ids  except  : 

84,  85,  86,  and  87  ...  \", 
setflag  traceflag  off , 

defer) ) , 
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interpret  printdate_if _wanted, 
close , 

setflag  traceflag  on, 

comment  \"Finished  nith  interpretation  of  step_case .proof ... \ 
setflag  traceflag  off)") 

(def proof  step.case. proof 
"(setflag  traceflag  on, 

comment  \"Beginning  interpretation  of  step_case .proof ... \" , 
comment  \"This  version  of  step_case. proof  handles  message  ids 
88,  89,  and  90\", 
setflag  traceflag  off, 

interpret  printdate_if _Banted, 


;  Get  all  the  possible  message  ids  for  n 

provebyinst  ant iat ion 

using:  alloBed_message_ids 
substitutions:  (x=n) , 

;  Run  the  cases  for  the  message  identifiers  mentioned  in  the 
:  comment  above,  and  defer  all  other  cases 

meases 

(case:  msg_id(n)  =  88 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  88... \", 
setflag  traceflag  off, 

interpret  every_case .proof , 

setflag  traceflag  on, 

comment  \"Finished  vith  message  id  88.... \", 
setflag  traceflag  off) 

case:  msg_id(n)  =  89 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  89... \", 
setflag  traceflag  off, 

interpret  every_case. proof, 

setflag  traceflag  on, 

comment  \"Finished  Bith  message  id  89. _ \" , 

setflag  traceflag  off) 

case:  msg_id(n)  =  90 
proof : 

(setflag  traceflag  on. 
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coMent  \"Currently  handling  message  id  90... \", 
setf lag  tracef lag  off , 

interpret  every_case .proof , 

setf lag  tracef lag  on, 

comment  \"Finished  with  message  id  90.... \", 
setflag  traceflag  off) 

case:  (msg_id(n)  ~=  88  k  msg_id(n)  ■"=  89  &  msg_id(n)  ~=  90) 
proof : 

(setflag  traceflag  on, 

comment  \"Deferring  proofs  for  all  ids  except  : 

88,  89,  and  90  ...  \", 
setflag  traceflag  off, 

defer) ) , 

interpret  printdate_if .wanted, 
close , 

setflag  traceflag  on, 

coBuaent  \"Finished  with  interpretation  of  step.case  .proof ..  .\"  , 
setflag  traceflag  off)") 

(defproof  step.case. proof 
"(setflag  traceflag  on, 

comment  \"Beginning  interpretation  of  step.case. proof .. .\" , 
comment  \"This  version  of  step.case. proof  handles  message  ids:  91\", 
setflag  traceflag  off , 

interpret  printdate.if .wanted, 

;  Get  the  possible  message  identifiers  for  n 

provebyinstantiation 

using:  allowed.message.ids 
substitutions:  (x=n) , 

;  Run  the  cases  for  the  message  identifiers  mentioned  in  the 
;  comment  above,  and  defer  all  other  cases 

meases 

(case:  msg.id(n)  =  91 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  91... \", 
setflag  traceflag  off , 

interpret  every.case. proof, 

setflag  traceflag  on, 

comment  \''Finished  with  message  id  91.... \", 
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setflag  traceflag  off) 
case:  msg_id(n)  “=  91 
proof : 

(setflag  traceflag  on, 

comment  \"Deferring  proofs  for  all  message  ids  except  :  91  \" 
setflag  traceflag  off , 
defer)) , 

interpret  printdate_if _wanted, 
close , 

setflag  traceflag  on, 

comment  \"Finished  with  interpretation  of  step.case.proof . . , 
setflag  traceflag  off)") 

(def proof  step. case. pro of 
"(setflag  traceflag  on, 

comment  \"Beginning  interpretation  of  step.case .proof ... \" , 

comment  \"This  version  of  step.case. proof  handles  message  ids:  92  cind  93\' 

setflag  traceflag  off, 

interpret  printdate.if. wanted. 


;  Get  all  the  possible  message  ids  for  n 

pr o veby inst  ant iat ion 

using:  allowed.message.ids 
substitutions:  (x=n) , 

;  Run  the  cases  for  the  message  identifiers  mentioned  in  the 
;  comment  above,  and  defer  all  other  cases 

meases 

(case:  msg.id(n)  =  92 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  92... \", 
setflag  traceflag  off, 

interpret  e very.case. proof , 

setflag  traceflag  on, 

comment  \"Finished  with  message  id  92.... \", 
setflag  traceflag  off) 

case:  msg.id(n)  =  93 
proof : 

(setflag  traceflag  on, 

comment  \"Currently  handling  message  id  93. .  .\", 
setflag  traceflag  off, 

interpret  every. case .proof , 
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setflag  traceflag  on, 

comment  \"Finished  with  message  id  93.... \", 
setflag  traceflag  off) 


case:  (msg_id(n)  92  &  msg_id(n)  93) 
proof : 

(setflag  traceflag  on, 

comment  \"Def erring  proofs  for  all  ids  except  :  92  and  93... 
setflag  traceflag  off, 

defer)) , 

interpret  printdate_if_Banted, 
close , 

setflag  traceflag  on, 

comment  \"Finished  oith  interpretation  of  step_case .proof ... \" , 
setflag  traceflag  off)") 


9.2  The  main  proof 


;  Syntax:  Common-lisp;  Package:  USER;  Mode:  LISP 

;  File  name  :  /u/versys/msx/infinite_sequence_data_structure_messages .proof 

;;;  This  file  contains  the  main  proof  and  the  proof  prelude. 

; ;  Proof  prelude  does  various  tasks  that  are  needed  before  the  proof  of 
;;  inf inite_sequence_data_structure_messages.sd  begins. 

(defproof  prelude 

"(setflag  traceflag  on, 

comment  \  "Entering  prelude ...  \  ", 
setflag  traceflag  off, 

;  load  the  new  adatr  fixes. . . 
eval  (load_adatr_f ix) , 

;  Load  the  lisp  file  with  the  new  proof  commands 
eval  (load  \  "/u/versys/msx/new_proof_commands  \  ") , 

;  Translate  the  program. 

adatr  \  "/u/versys/msx/msx_program_final_version.a  \  ", 

;  Read  in  the  file  containing  definitions,  lemmas,  etc.  needed  in 
;  the  main  proof. 

read  \  "/u/versys/msx/infinite_sequence_data_structure_messages.defs  \ 

setflag  traceflag  on, 

comment  \  "Exiting  prelude. . .  \  ", 
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setflag  traceflag  off)") 


;;  Proof  main. proof  is  the  top-level  proof  of  the  correctness  assertion  for 
; ;the  program. 


(def proof  main. proof 

"(interpret  prelude, 
setflag  autoclose  off , 

prove  inf inite_sequence_data_structure_messages . sd 
proof : 

(setflag  traceflag  on, 
comment  \  "Starting  main  proof...  \  ", 
setflag  traceflag  off , 

let  timing  =  false, 

interpret  printdate.if.wanted, 

; Since  the  postcondition  has  the  form  x  ge  1  — >  ...,  ve 
; immediately  get  rid  of  the  trivial  case  "(x  ge  1). 

cases  "(x  ge  1) 
then  proof : 

(setflag  traceflag  on, 
comment  \  "Trivial  case...  \  ", 
setflag  traceflag  off , 
close) 

else  proof: 

(setflag  traceflag  on, 

comment  \  "Starting  non-trivial  case...  \  ", 
setflag  traceflag  off, 

interpret  printdate_if_wanted, 

;  Go  to  the  beginning  of  the  main  loop  in  the 
;  program,  handling  the  constant  arrays 

interpret  f ix_constant_arrays, 
interpret  go_to_beginning_of_loop, 
interpret  do_lets, 

comment  \  "Starting  induction. . .  \  ", 

induct  on :  n 

from:  1 

to:  X  +  1 

invariants: 

( 

;Needed  for  covering  information 

pcovering( .msx_program_final_version,old_universe) , 
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;  Variable  values 


.build_in_progress  =  false, 

. c*d_count  =  0 , 

.lost_cmd  =  false, 

. app_*sg_counter  =  0, 

; Queue  variables  and  bounds 

. q_head 

=  1  +  .q_tail  mod  . app_msg_q_size , 

.q_head  ge  origin (app_msg_q) , 

.q.head 

le  (origin(app_msg_q)  + 
range (app_msg_q) )  -  1, 

.q.tail  mod  . app_msg_q_si2e  +  1 
ge  origin (app_msg_q) , 

.q_tail  mod  . app_msg_q_si2e  +  1 
le  (origin(app_msg_q)  + 

range (app_msg_q))  -  1, 

: State  delta  at  beginning  of  loop 

formula (loopsd) , 

; Input/output  counters  are  where  they  should  be 

msg_input_begiiis_at(n)  =  .stdin  \\  ctr, 
msg_output_begins_at(n)  »  .stdout  \\  ctr, 

; Output  condition  is  true  after  execution  of  loop  when 
;n  =  X.  This  is  stated  in  this  way  due  to  efficiency 
; considerations  (i.e.,  the  more  straightforward  way 
; introduces  many  new  places  -  see  report  for  more  details). 

n  =  X  +  1  — >  formula(output_condition)) 

comodlist : 

(diff 

(old_universe , 
union ( 

cmd.buf , cmd_status_buf , cmd.status , 
lost_cmd,cmd_count ,f ifo_not_empty_count , 
io_status_word, app_msgs . cmd_count , 
app.msgs . cmd_bstatus_buf , 
app_msgs ,lost_cmd, 
app_msgs .f ifo_not_empty_count , 
re j  ected_cmd_comsg , app_msg_q , 
build_in_progress , scmd_with_par , 
word_cntr , cmds_rcmds_f or_app_msg , 
nuB_words_f  or_app_msg , cont ail , q_head , 
app_msg_co\inter ,  cmd_last_app_msg , 
saved_sat_subsys_conf ig,load_msg, cmd_total , 
app_msgs.io_status_Hord, stdout  \\  ctr. 
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msx_program_f inal_version  \\  pc, 
msx_prograin_f inal_Tersion,stdin  \\  ctr .stdout) ) ) 


modlist : 

(cmd_buf , cmd_status_buf , cmd_status , lost_cmd , 
cnid_count  ,f  if  o_not_enipty_count , 
io_status_Bord ,  app_msgs .  aiid_count , 
app_nisgs .  cmd.buf ,  app_msgs .  cmd_status_buf , 
app_nisgs .  lost  _cmd , 
app_msgs .  f  if  o_not_empty_coimt , 
re j  ected_cmd_count , app_msg , app_msg_q , 
build_in_progress ,starting_cmd_Bith_par , 
word_cntr ,  cmds_rcvd  ,nuiii_CBds_f  or_app_msg , 
iituii_Bords_f  or_app_msg ,  cont_cmd,  q_tail ,  q_head , 
app_msg_ c ount er , cmd_last _app_msg , 
saved.sat _subsys_conf ig , load_msg , cmd_tot al , 
app_msgs. io_status_Bord, stdout  \\  ctr, 
msx_prograiii_f inal_version  \\  pc, 
msx_prograni_f iiial_Tersion,stdin  \\  ctr, stdout, 
dif f (all , old.universe) ) 

base  proof:  interpret  base_case .proof 

step  proof:  interpret  step_case .proof , 

interpret  pr int dat e_ if _b anted, 

setflag  traceflag  on, 

comment  \  "Finishing  off  induction  ..  \  ", 
apply  final e.sd, 

setflag  traceflag  off, 
close) , 

interpret  printdate_if _Banted, 
setflag  traceflag  on, 

comment  \  "Finishing  off  main  proof...  \  ", 
setflag  traceflag  off, 

close)  , 

setflag  traceflag  on, 

comment  \  "Main  proof  completed  \  " , 

interpret  printdate_if_Banted)") 
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